Get location fragment with Fetch API redirect response

Question

I am trying to get the redirect response location fragment of a fetch API request. But I can't figure how to access it, if possible.

The context is that I am doing an OpenID Connect request in implicit flow, for a WebRTC Identity Proxy assertion generation. OIDC specs define the answer of the request as:

When using the Implicit Flow, all response parameters are added to the fragment component of the Redirection URI

HTTP/1.1 302 Found Location: https://client.example.org/cb# access_token=SlAV32hkKG ...

So I'm making the request with fetch set in manual mode. But the response is then an opaque-redirect filtered response, which hides the location header. (https://fetch.spec.whatwg.org/#concept-filtered-response-opaque-redirect)

Other mode for fetch are error and follow which would not help. While XHR automatically follows the redirect so would not help either. I may be missing something from the fetch API, but it seems to be something hidden on purpose.

Could someone gives me a way to access this information (or a confirmation it's impossible) ?

Is there any alternative to fetch and XHR to make this request, which would allow to access the redirect location header?

Answer 1

Since XHR automatically / opaquely follows redirects (in the event you're using the whatwg-fetch polyfill for example), one possible solution is to check the response.url of the fetch resolution, to see if it matches a redirect location that you expect.

This only helps if the possible redirect locations are limited or match some pattern --- for instance, if you could expect at any time to be redirect to /login:

function fetchMiddleware(response) {
  const a = document.createElement('a');
  a.href = response.url;
  if (a.pathname === '/login') {
    // ...
  } else {
    return response;
  }
}

fetch(`/api`)
  .then(fetchMiddleware)
  .then(function (response) {
    // ...
  });

Answer 2

fetch isn't able to polyfill the entire standard. Some notable differences include:

Inability to set the redirect mode.

See David Graham comment on the Disable follow redirect:

This is a nice addition to the Fetch API, but we won't be able to polyfill it with XMLHttpRequest. The browser navigates all redirects before returning a result, so there is no opportunity to interrupt the redirect flow.

My Solution:

1). First solution: we are sending 200 status and redirect url(in the http header) from the server and client is redirecting based on that.

2). Second solution: Server could also redirect to with 301 and redirect url. I think, This is the best solution(i.e if we consider SEO).