asp.net - AAD with JWT: Hide Id_Token from URL

Question

I'm using AAD to request a token. I have a redirect in Azure to https://localhost:44313/index.html, however, when the login is made and it redirects, token is write on my URL, something like this: https://localhost:44313/index.html#!#id_token=eyJ0eXAiOiJKV1QiLCJhb...

I'm using ADAL, and if I print {{userInfo}} it prints nothing, but, if I remove #! from url, it has a correct action, my url turns to: https://localhost:44313/index.html and print {{userInfo}} as it should be.

Why this is happening, what should I do to avoid token on url? Should I have some action to remove manually #! from url?

This is a Native-Application on Azure, using Angular and HTML.

Thank you all

Answer 1

When Html5Mode is enabled, the links on the page are replaced by Angular with event listeners. When these events are triggered, the current page is pushed into the browser history, and the new page is loaded. This gives the illusion that you are navigating to a new page, and even allows for the back button to operate.

see AngularJS - How does $location html5Mode work? Use following to remove !#

angular.module('app', [])

    .config(function($routeProvider, $locationProvider) {



        // use the HTML5 History API
        $locationProvider.html5Mode({ enabled: true, requireBase: true });
    });

On the redirect page that you have selected on Azure, in this case, https://localhost:44313/index.html, edit HTML and add the following:

<head> <base href="/"> </head>

Thank you