Browser callback page
When Tokens.Enabled and a browser completes OAuth without Accept: application/json, goauth can return a small HTML page that:
- Parses tokens from the response body
- Stores them in
localStorageunder the keygoauth - Posts a message to
window.opener(popup flow) or redirects toCallbackPage
Configure the redirect target:
Tokens: goauth.TokensConfig{
Enabled: true,
CallbackPage: "https://app.example.com/dashboard",
},
Popup vs full-page
| Flow | Behavior |
|---|---|
window.open popup | postMessage to opener + window.close() |
| Full redirect | location.href = CallbackPage |
Programmatic JSON
Clients that want raw JSON (no HTML) should send:
Accept: application/json
or X-Auth-Return-Redirect: true per isProgrammaticTokenRequest logic.
See client-javascript.