The library fails to fetch state and access token correctly for Instagram implicit oauth

[shekoufa]

Based on Instagram's documentation, for the Client-Side (Implicit) Authentication they provide the response to the authentication request as below:
http://your-redirect-uri?state=STATE#access_token=ACCESS-TOKEN
As can be seen from the above, only the access token is provided as a fragment in the url. However, currently the library query-string in oauth2.js to fetch the value after the hash and searches for state and access_token in it. This process makes the library unable to fetch the state correctly and even upon successful authentication it always returns:
{type: "LOGIN_FAILURE", error: "Invalid state returned."} as the login function's return value. I can volunteer to create a pull request to fix this.

[danilobuerger]

Please provide the link to the documentation where this can be seen. I am unable to find it.

[shekoufa]

Oh sorry. I forgot to provide you with the documentation page. Here's the URL to the documentation: https://www.instagram.com/developer/authentication/
Look under Client-Side (Implicit) Authentication section. They haven't provided any information about how they return the state parameter but I tried it yesterday and I got the following response back:
https://localhost/spa?state=cjea3quq70001327u7oimek2i#access_token=2217073821.1b3bd31.cab79c4b09544080b8e20c44bc97b25a
The state parameter is definitely not a part of the fragment. Also, for Linkedin, it's even worse. Linkedin does not return the parameters in the redirect URL inside a fragment at all. Following is a sample of response I got from Linkedin:
https://localhost/spa/login?code=BQR11Uqv2yker7bLYV2AGO3HSeWS5FPVovHFmGj3a6w-eMog8nOkRzJuouJdycJGKxz4N1iM0V90YVQUTkgVeCpN2wzHBWhU0jiwAO2El1f9VUZheGcFx7rzVEwidpq9Qc7-9GhYKMHqasGbswilwnn0FzM6cQ&state=cjeaee3c20000817u409s22ix

I looked at your library's implementation and for linkedin, since there is not fragment (hash) in the url, the popup won't be closed and the window gets redirected to the redirect url provided. Also, linkedin returns code instead of access_token (see https://developer.linkedin.com/docs/oauth2# Step 2 — Request an Authorization Code, under Application is approved), but your library searches for access_token anyways. Let me know if I can provide you with any other info :)

[danilobuerger]

Ok. If you want to tackle this, it should be made configurable with the default confirming to RFC 6749. The config could contain keys like so:

config = {
  accessTokenKey: "code" // default: "access_token"
  parseQuery: true // default: false
}

[shekoufa]

Awesome. Thanks for letting me do this. Do we have a task for this or should I just create a manual branch and finally create the PR to the master branch? Also, could you please give me the required permissions to create a pull request. Honestly, this is my first time ever trying to contribute to a project on Github so I'm a little bit in the dark :)

[danilobuerger]

You don't need extra permissions to create a Pull Request. Just use standard Github flow with forks: https://guides.github.com/introduction/flow/

[shekoufa]

👍

[shekoufa]

Hey @danilobuerger. I just created a PR for this.
#14