full implicit flow support?
See original GitHub issue@tikurahul I know you have mentioned this in https://github.com/openid/AppAuth-JS/issues/8#issuecomment-309239324 but implicit auth would still be cool feature. For SPA implicit auth is required and support for it is basically already there, we only need make sure that the correct data is returned here: https://github.com/openid/AppAuth-JS/blob/master/src/redirect_based_handler.ts#L102 if ‘token’ (instead code) was requested.
what I do now in my spa as a workaround:
const {AuthorizationServiceConfiguration} = require('@openid/appauth/built/authorization_service_configuration.js');
const {AuthorizationRequest} = require('@openid/appauth/built/authorization_request.js');
const {AuthorizationNotifier} = require('@openid/appauth/built/authorization_request_handler.js');
const {RedirectRequestHandler} = require('@openid/appauth/built/redirect_based_handler.js');
var login = {
init: function() {
this.notifier = new AuthorizationNotifier();
this.handler = new RedirectRequestHandler();
this.notifier.setAuthorizationListener(function (request, response, error) {
var hash = login.parseAuthorizationResponse();
if (response && hash.access_token) {
//do something usefull here with hash.access_token...
} else {
//error
}
//destroy hash
window.location.hash = '';
});
this.handler.setAuthorizationNotifier(this.notifier);
this.handler.completeAuthorizationRequestIfPossible();
},
initOidcAuth: function(idp) {
AuthorizationServiceConfiguration.fetchFromIssuer(idp.providerUrl).then(configuration => {
var request = new AuthorizationRequest(
idp.clientId, idp.redirectUri, idp.scope, 'id_token token', undefined, {'nonce': Math.random().toString(36).slice(2)});
login.handler.performAuthorizationRequest(configuration, request);
});
},
parseAuthorizationResponse: function() {
var hash = window.location.hash.substr(1);
var obj = {};
var pairs = hash.split('&');
for(let i in pairs){
let split = pairs[i].split('=');
obj[decodeURIComponent(split[0])] = decodeURIComponent(split[1]);
}
return obj;
}
}
Issue Analytics
- State:
- Created 6 years ago
- Comments:10 (3 by maintainers)
Top Results From Across the Web
OAuth 2.0 implicit grant flow - The Microsoft identity platform
The Microsoft identity platform supports the OAuth 2.0 implicit grant flow as described in the OAuth 2.0 Specification.
Read more >OAuth 2.0 Implicit Grant Type
The Implicit flow was a simplified OAuth flow previously recommended for native apps and JavaScript apps where the access token was returned immediately ......
Read more >Is the OAuth 2.0 Implicit Flow Dead? - Okta Developer
In this post, we'll look at what's changing in the Implicit Flow and why.
Read more >Implicit Grant Flow for Client-Side Apps
Due to a number of security vulnerabilities in the OAuth2 Implicit flow, support for this flow has been deprecated. Please use the OAuth2...
Read more >OAuth Implicit Flow | Curity Identity Server
The implicit flow is a browser only flow. It is less secure than the Code Flow since it doesn't authenticate the client. But...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Isn’t the idea behind AppAuth to follow the almost-BCP. On the topic of implicit,
I believe this to be the relevant when ROPC is used, which again, is not what AppAuth is bringing.
if you are using ionic i have created an extension for appauth-js called ionic-appauth. This includes an implicit flow for use when using a browser with ionic.