How do you hash a string to SHA512 in Swift?

Why do OAuth 2.0 providers return access tokens in the hash and not the query string?

I'm writting an OAuth 2.0 authentication system for a client using PHP (and avoiding JavaScript when possible). The OAuth providers that I'm using (Facebook, Google, and Microsoft) insist on providing the access token in the the url hash (i.e. "http://www.something.com/signon.php#access_token=INSERT_TOKEN_HERE"). From what I've read on the internet, PHP cannot access the hash part of the URL (everything after the '#"). I can access this with JavaScript and send it to PHP, but this is what I feel is an unnecessary step. So, in addition to the initial question above, i'm looking for a few other things: 1) Am I missing out on some, possibly security related, reason as to why this isn't simply passed in the query string. 2) Is there a way for PHP to access the hash string, thereby eliminating my need to use JavaScript? 3) *BONUS* Can I access the hash with other server-side languages such as ASP, Python, or Ruby? Thanks.
Answer:

The token is returned in the hash in OAuth 2.0 Implicit Grant. There is no way that server-side languages will have access to the hash because it is not passed on the HTTP GET request. For PHP and other server-side languages, you should request for OAuth 2.0 Authorization Code, which will pass through an authorization code phase. See:

Was this solution helpful to you?

Other answers

OAuth 2 has several different ways to get a token which fit different kinds of clients. You're describing the implicit flow, which is explicitly designed to not leak the token back to the server. You want the token at the server, which is where the problem comes in: you're using the wrong flow. The implicit flow of OAuth is meant only for in browser clients, in effect giving you session sharing, not server side or native apps. For those, use the authorization code flow. It's more secure and designed for this scenario.

Justin Richer

Its called URI Fragment [https://tools.ietf.org/html/rfc3986#section-3.5] , and value presented after # is called https://en.wikipedia.org/wiki/Fragment_identifier . It's only used in implicit grant_type, general use is for a trusted web app. A client side library has to pick that and send the token request. Flow details are documented here [https://tools.ietf.org/html/rfc6749#section-4.2 ]

Abhishek Tyagi

Related Q & A:

Is it possible to do a gradual migration to AFNetworking 2.0?Best solution by stackoverflow.com
How do I delete profile 2.0 and change it back to 1.0?Best solution by Yahoo! Answers
How do you change your profile from 2.0 to 1.0?Best solution by Yahoo! Answers
How do you change layout 1.0 to 2.0?Best solution by freecodesource.com
What's the difference between Web 3.0 and Web 2.0?Best solution by wiki.answers.com

Just Added Q & A:

How many active mobile subscribers are there in China?Best solution by Quora
How to find the right vacation?Best solution by bookit.com
How To Make Your Own Primer?Best solution by thekrazycouponlady.com
How do you get the domain & range?Best solution by ChaCha
How do you open pop up blockers?Best solution by Yahoo! Answers

For every problem there is a solution! Proved by Solucija.

Got an issue and looking for advice?
Ask Solucija to search every corner of the Web for help.
Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.