feat: Transition OIDC JWT token passing from URL hash to query parameter and enable auth features by default.

k-notes-frontend/src/pages/oidc-callback.tsx

@@ -22,10 +22,11 @@ export default function OidcCallbackPage() {
     const { t } = useTranslation();
 
     useEffect(() => {
-        // Check for token in URL hash (implicit flow) or query params
+        // Check for token in query params (primary) or URL hash (legacy/fallback)
+        const token = searchParams.get("token");
         const hashParams = new URLSearchParams(window.location.hash.slice(1));
         const accessToken =
-            hashParams.get("access_token") || searchParams.get("access_token");
+            token || searchParams.get("access_token") || hashParams.get("access_token");
 
         if (accessToken) {
             // JWT mode: store the token

notes-api/src/routes/auth.rs

@@ -387,12 +387,13 @@ async fn oidc_callback(
         .await
         .map_err(|_| ApiError::Internal("Session error".into()))?;
 
-    // In JWT mode, redirect to frontend with token in URL fragment
+    // In JWT mode, redirect to frontend with token in query parameter
+    // Note: Hash fragments (#) are not preserved in HTTP redirects, so we use query params
     #[cfg(feature = "auth-jwt")]
     if matches!(auth_mode, AuthMode::Jwt | AuthMode::Both) {
         let token = create_jwt_for_user(&user, &state)?;
         let redirect_url = format!(
-            "{}/auth/callback#access_token={}",
+            "{}/auth/callback?token={}",
             state.config.frontend_url, token
         );
         return Ok(axum::response::Redirect::to(&redirect_url).into_response());
@@ -464,12 +465,13 @@ async fn oidc_callback(
         .await
         .map_err(|_| ApiError::Internal("Session error".into()))?;
 
-    // Redirect to frontend with token in URL fragment
+    // Redirect to frontend with token in query parameter
+    // Note: Hash fragments (#) are not preserved in HTTP redirects, so we use query params
     #[cfg(feature = "auth-jwt")]
     {
         let token = create_jwt_for_user(&user, &state)?;
         let redirect_url = format!(
-            "{}/auth/callback#access_token={}",
+            "{}/auth/callback?token={}",
             state.config.frontend_url, token
         );
         return Ok(axum::response::Redirect::to(&redirect_url));