Adam,

Thanks for the reply. You are correct, passing a valid set of credentials via basic auth does return the redirect. I must have been using the wrong credentials (local instance vs test environment), my bad. This also works with any custom URI scheme, so it looks like this can be used to send the user to a native application by registering a custom URI scheme. Here is the working toy example:


curl -silent -I -k --user user:pass https://domain/labkey/login/createToken.view?returnUrl=myapp://authenticate

output:

HTTP/1.1 302 Found
Date: Wed, 26 Nov 2014 18:23:51 GMT
Server: Labkey/14.30
Set-Cookie: X-LABKEY-CSRF=6d9eefe186b198c5ef1cc3fff7450ec5; Path=/labkey
Set-Cookie: JSESSIONID=FB952D2070B757F744C3C18FD4C77F8A; Path=/labkey/; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-MiniProfiler-Ids: [710]
Pragma: no-cache
Cache-Control: no-cache
Cache-Control: no-store
Location: myapp://authenticate/?labkeyToken=76a848ae158323b3b4d35e4a451b8a7a&labkeyEmail=anthonycor%40gmail.com
Content-Type: text/html;charset=UTF-8


As you can see the Location header contains the expected query parameters and custom URI scheme. The parameters can be parsed and used by the client that is not a web application per se! :) Also, the session cookie is also there so if the client can handle storing cookie information it can be used for API calls.

Thanks for the help!

-
Anthony