Following Quickstart guide Fails

[danielheth]

Following quickstart guide (here: https://developer.okta.com/quickstart/#/angular/nodejs/express) but having problems post-login.

Clearly i have logged in, and I have tokens, however they are sitting within my Cookies not Local Storage like the guide says.

Not sure if this is affecting the isAuthenticated function... but unable to retrieve token as a result for use.

[danielheth]

I was able to track down that you're using the localStorage browser functionality to store tokens... i tested it by using:

localStorage.setItem('hello', '1234');
console.log('hello:', localStorage.getItem('hello'));

And didn't have any troubles.. so somewhere in your code... localStorage isn't working correctly.

[danielheth]

Finally got a very simple angular2 app working... but the instant i enabled HashLocationStrategy (https://angular.io/api/common/HashLocationStrategy) things blew up.

I believe it is because this line assumes there will only be one hash (#) within the url... https://github.com/okta/okta-auth-js/blob/f162b052efd664dd0db843032c1970dec4639e66/lib/token.js#L599

[robertdamphousse-okta]

Hi @danielheth , in its default configuration the AuthJS library does need to use the # fragment. You can configure the callback to be query-parameter based, which would allow you to use the # fragment for your own routing instead. However I'm not sure if this library has property abstracted those configuration options. I'm referring to the responseMode option that is mentioned here:

https://github.com/okta/okta-auth-js#openid-connect-options

[lboyette-okta]

The OAuth spec requires that only one hash fragment exist.

   The redirection endpoint URI MUST be an absolute URI as defined by
   [RFC3986] Section 4.3.  The endpoint URI MAY include an
   "application/x-www-form-urlencoded" formatted (per Appendix B) query
   component ([RFC3986] Section 3.4), which MUST be retained when adding
   additional query parameters.  The endpoint URI MUST NOT include a
   fragment component.

So you have two options:

1. Do URL rewrites for your SPA
2. Create another page that's not part of the SPA that contains your callback logic. This will be your new redirect_uri. Make sure to add this page's url to your list of redirect uris in Okta. Here's what it might look like:

<!-- callback.html -->
<script>
// OIDC variables
var issuer = '## your issuer ##';
var clientId = '## your clientId ##';
var redirectUri = '## your redirect uri (this page) ##';
var redirectAfterSuccess = '## your destination after successful signin ##';

// build an auth client
var client = new OktaAuth({
  url: issuer.split('/oauth2/')[0],
  clientId: clientId
  issuer: issuer,
  redirectUri: redirectUri
});

// parse tokens from the url
client.token.parseFromUrl()
.then(function(tokens) {

  // add tokens to the tokenManager
  for (var t = 0; t < tokens.length; t++) {
    var token = tokens[t];
    if (token.idToken) {
      client.tokenManager.add('idToken', token);
    } else if (token.accessToken) {
      client.tokenManager.add('accessToken', token);
    }
  }

  // redirect when finished
  window.location = redirectAfterSuccess;
})
.catch(function(err) {
  // handle the error
});
</script>

[jmelberg-okta]

Closing down this issue due the answers provided. Please reopen is the problem persists.