Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

full implicit flow support?

See original GitHub issue

@tikurahul I know you have mentioned this in https://github.com/openid/AppAuth-JS/issues/8#issuecomment-309239324 but implicit auth would still be cool feature. For SPA implicit auth is required and support for it is basically already there, we only need make sure that the correct data is returned here: https://github.com/openid/AppAuth-JS/blob/master/src/redirect_based_handler.ts#L102 if ‘token’ (instead code) was requested.

what I do now in my spa as a workaround:

const {AuthorizationServiceConfiguration} = require('@openid/appauth/built/authorization_service_configuration.js');
const {AuthorizationRequest} = require('@openid/appauth/built/authorization_request.js');
const {AuthorizationNotifier} = require('@openid/appauth/built/authorization_request_handler.js');
const {RedirectRequestHandler} = require('@openid/appauth/built/redirect_based_handler.js');

var login = {
  init: function() {
    this.notifier = new AuthorizationNotifier();
    this.handler = new RedirectRequestHandler();

    this.notifier.setAuthorizationListener(function (request, response, error) {
      var hash = login.parseAuthorizationResponse();
      if (response && hash.access_token) {
        //do something usefull here with hash.access_token...
      } else {
        //error
      }
       
      //destroy hash
      window.location.hash = '';
    });
    
    this.handler.setAuthorizationNotifier(this.notifier);
    this.handler.completeAuthorizationRequestIfPossible();
  },

  initOidcAuth: function(idp) {  
    AuthorizationServiceConfiguration.fetchFromIssuer(idp.providerUrl).then(configuration => {
      var request = new AuthorizationRequest(
        idp.clientId, idp.redirectUri, idp.scope, 'id_token token', undefined, {'nonce': Math.random().toString(36).slice(2)});
  
      login.handler.performAuthorizationRequest(configuration, request);
    });
  },

  parseAuthorizationResponse: function() {
    var hash = window.location.hash.substr(1);
    var obj = {};
    var pairs = hash.split('&');
    
    for(let i in pairs){
      let split = pairs[i].split('=');
      obj[decodeURIComponent(split[0])] = decodeURIComponent(split[1]);
    }

    return obj;
  }
}

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:10 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
panvacommented, Oct 4, 2017

Isn’t the idea behind AppAuth to follow the almost-BCP. On the topic of implicit,

8.2. OAuth Implicit Grant Authorization Flow

The OAuth 2.0 implicit grant authorization flow as defined in Section 4.2 of OAuth 2.0 [RFC6749] generally works with the practice of performing the authorization request in the browser, and receiving the authorization response via URI-based inter-app communication. However, as the implicit flow cannot be protected by PKCE [RFC7636] (which is a required in Section 8.1), the use of the Implicit Flow with native apps is NOT RECOMMENDED.

Tokens granted via the implicit flow also cannot be refreshed without user interaction, making the authorization code grant flow - which can issue refresh tokens - the more practical option for native app authorizations that require refreshing.

However the problem really is whether the application holds on to the user’s password when it needs another access token.

I believe this to be the relevant when ROPC is used, which again, is not what AppAuth is bringing.

1reaction
wi3landcommented, Apr 10, 2019

if you are using ionic i have created an extension for appauth-js called ionic-appauth. This includes an implicit flow for use when using a browser with ionic.

Read more comments on GitHub >

github_iconTop Results From Across the Web

OAuth 2.0 implicit grant flow - The Microsoft identity platform
The Microsoft identity platform supports the OAuth 2.0 implicit grant flow as described in the OAuth 2.0 Specification.
Read more >
OAuth 2.0 Implicit Grant Type
The Implicit flow was a simplified OAuth flow previously recommended for native apps and JavaScript apps where the access token was returned immediately ......
Read more >
Is the OAuth 2.0 Implicit Flow Dead? - Okta Developer
In this post, we'll look at what's changing in the Implicit Flow and why.
Read more >
Implicit Grant Flow for Client-Side Apps
Due to a number of security vulnerabilities in the OAuth2 Implicit flow, support for this flow has been deprecated. Please use the OAuth2...
Read more >
OAuth Implicit Flow | Curity Identity Server
The implicit flow is a browser only flow. It is less secure than the Code Flow since it doesn't authenticate the client. But...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[Feature Request] React Native Compatibility

Next page

Accessing a resource with a scope returns 401 Unauthorized