Comments (39)
+1 Authorization Code Flow
from angular-oauth2-oidc.
+1 Authorization Code Flow
I need it too
from angular-oauth2-oidc.
According the new OAuth2 draft spec implicit flow MUST NOT be used any more for SPA
https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-00#section-7.8
See also https://medium.com/@torsten_lodderstedt/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926
from angular-oauth2-oidc.
I have added a pull request for this functionality for you to review:
#195
from angular-oauth2-oidc.
+1 for Authorization Code Flow.
from angular-oauth2-oidc.
Adding some context here, it seems like parts of "the industry" (hi there π) have moved on when it comes to using the implicit flow for SPAs:
Note: Previously, it was recommended that browser-based apps use the "Implicit" flow, which returns an access token immediately and does not have a token exchange step. In the time since the spec was originally written, the industry best practice has changed to recommend that the authorization code flow be used without the client secret. This provides more opportunities to create a secure flow, such as using the state parameter. (source)
So, to accommodate that, I'd +1 the request for authorization code flow.
Authorization Code Flow with PKCE for SPAs
Anyways, I'm not convinced that PKCE makes sense for SPAs. The crucial point in the App use case could be that the client (the app) can keep its state (including the challenge) a secret; or at least hidden from a malicious app on the same smartphone. I don't believe that this makes sense for an in-browser JS application. (But I might very well be missing something, not an expert.)
from angular-oauth2-oidc.
+1 for the Authorization Code Flow.
Are there any plans for it? We were planning on use this library for our product here but now we hit a roadblock.
from angular-oauth2-oidc.
+1 for the Authorization Code Flow.
from angular-oauth2-oidc.
+1 for the Authorization Code Flow.
from angular-oauth2-oidc.
+1 for the Authorization Code Flow.
from angular-oauth2-oidc.
@andifalk very very interesting. Too bad the library do not support Code flow ;-)
from angular-oauth2-oidc.
A fresh issue was opened in #470 (triggered by the newest RFC, so it seems appropriate IMO to start a fresh issue for it).
from angular-oauth2-oidc.
If think, when we are implementing Code Flow we should also implement PKCE alongside b/c this is THE way to go for mobile apps/ hybrid apps. When it comes to web apps, I would prefer Implicit Flow + Silent Refresh.
Do you have a current project where code flow + PKCE is needed?
If yes, when would you need it?
If yes, would you be interested into contributing such an addition?
from angular-oauth2-oidc.
+1 Authorization Code Flow
from angular-oauth2-oidc.
+1 for the Authorization Code Flow
from angular-oauth2-oidc.
+1 for Authorization Code Flow
from angular-oauth2-oidc.
Hi
I think this great library need to include the authorization code flow to be complete, and I think its sad it canβt be part of this package. I personally prefer to use the authorization code flow as I think the silent refresh mechanism of the implicit flow is a dirty hack.
I have forked this repository and added support for the authorization code flow. PKCE is currently not implemented.
Go check it out at https://www.npmjs.com/package/angular-oauth2-oidc-codeflow
(Name, versioning, structure, etc. might change in the future)
from angular-oauth2-oidc.
can you create a pull request?
from angular-oauth2-oidc.
Is there a technical reason you want support for the authorization code flow? It was not designed for use with client side applications. According to the specification, the Authorization Code flow is suitable for Clients that can securely maintain a Client Secret between themselves and the Authorization Server. Angular apps are not able to maintain such a secret.
from angular-oauth2-oidc.
Some OIDC Servers implement authorization code flow with shortlived refresh and id tokens. Keycloak (cf. https://keycloak.gitbooks.io/documentation/content/server_admin/topics/sso-protocols/oidc.html, js adapter code: https://github.com/keycloak/keycloak/tree/master/adapters/oidc/js/src/main/resources) would be an example of that.
And when you consider it a problem for the client to be able to access the refresh/id token, supporting the direct access grant flow is certainly much more of a concern. Nevertheless there is a plethora of (especially hybrid mobile) apps that handle password entry right in the web app.
from angular-oauth2-oidc.
Yes, Code Flow for a SPA seems to be a gray zone and can be used safely. But it is not the indented way. I would prefere implicit flow with token refresh (which is possible without refresh_tokens by leveraging a well known hack).
from angular-oauth2-oidc.
As the next version of this lib (lands i a few days) is supporting silent refresh with implicit flow there is IMHO no need for code flow for browser scenarios. When it comes to hybrid scenarios (cordova, ionic) it would make sense. I would accept PR on this and there is a pull request for hybrid flow which contains a lot of code that can be used when writing support for code flow.
I would suggest to introduce a new method initCodeFlow(...) for this.
from angular-oauth2-oidc.
Oh, if anyone creates a PR for this, please have a look at the RFC about Code Flow and mobile apps.
from angular-oauth2-oidc.
What do you thing about the Authorization Code Flow with PKCE for SPAs? (https://tools.ietf.org/html/rfc7636)
from angular-oauth2-oidc.
I'm not sure if we're going to use code flow with PKCE, yet. I'll get back to you when I know.
If we're going to use it, I would absolutely be interested in contributing this addition.
from angular-oauth2-oidc.
Cool, just reach out in case.
from angular-oauth2-oidc.
You're right. PKCE does not make sense in the browser. When it comes to hybrid apps, we should have it.
from angular-oauth2-oidc.
I suppose @manfredsteyer wouldn't be blocking a code contribution... (nudge, nudge at y'all who want this so dearly π)
from angular-oauth2-oidc.
Hi @manfredsteyer I'm about to implement support for authorization code flow for your library.
I have forked the projekt but I'm a bit confused abut the versioning of the the latest release.
When installing we get version 3.0.3. https://www.npmjs.com/package/angular-oauth2-oidc also also have version 3.0.3.
In the github repository https://github.com/manfredsteyer/angular-oauth2-oidc the latest version is 3.0.1.
The version in package.json of the master branch is 3.0.2 ?!?
Where is the code for 3.0.3.
Also
from angular-oauth2-oidc.
@manfredsteyer also how do you build the library?
If I build it using npm pack and then install the tar, I get the error:
Module build failed: Error: ///node_modules/angular-oauth2-oidc/index.ts is not part of the compilation output.
from angular-oauth2-oidc.
@bechhansen Thx for taking care about this.
I guess I've used git push and npm version minor && npm publish in the wrong order. That's why we have a gap here. But it should not matter and I will correct this soon.
Regarding the build failure: It's about Angular 5. They don't support it to have ts files in the referenced package anymore. It was never indented to support this but by coincident it worked before. The quick workaround for this is to run it with the --aot flag. In this case this is still supported.
npm start -- --aot
from angular-oauth2-oidc.
+1 Authorization Code Flow
from angular-oauth2-oidc.
+1
from angular-oauth2-oidc.
+1 for PKCE
from angular-oauth2-oidc.
@bechhansen: Thanks for the PR and for the fork. Very appreciated.
As mentioned in an other thread, I cannot support that much flows and so creating additional solutions/ forks seem to be the best way to meet all the different needs.
from angular-oauth2-oidc.
I'm confused by all the requests for Auth Code Flow for SPAs. Having a long-lived refresh token in an SPA would seem like an exploitable security hole. Why should I prefer Auth Code over Implicit? What advantages does Auth Code provide? Is it limited to the fact that the access token is never passed over the URL (via the fragment) and instead only via body content? Or is there something else I am missing?
from angular-oauth2-oidc.
+1 for the Authorization Code Flow.
from angular-oauth2-oidc.
+1 for the Authorization Code Flow.
from angular-oauth2-oidc.
it's going to come. see #549
from angular-oauth2-oidc.
Related Issues (20)
- Local parsing HTTP request error HOT 5
- Upgrade jsrsasign to v11 HOT 9
- Azure AD B2C implicate flow clientAuthError: Invalid state
- adfs using initLoginFlow() returns auth token but getAccessToken() is null
- issuer must use HTTPS (with TLS), or config value for property requireHttps must be set to false and allow HTTP without TLS HOT 1
- Third party cookie and token refresh HOT 2
- Re Login with new Scope
- Silent refresh iframe multiple injection
- Requests are canceled on logout
- Publish new npm package? HOT 1
- Authentication Library Config Type Only Import
- SSO login happens and after redirection user is not logged in HOT 1
- IDP errors not handled during initLoginFlowInPopup
- checkSession: Uncaught TypeError: e.data.split is not a function
- Add the hability to end session on the server but without redirecting to postLogoutRedirectUri
- What is proper way to preserve/refresh login state, when redirecting back from other app after refresh_token exp time? HOT 2
- ERROR ReferenceError: window is not defined - Support For SSR / prerender
- OAuthService.silentRefreshPostMessageEventListener executes tryLogin() inadvertently in the main frame
- `noRedirectToLogoutUrl` parameter is not checked in `logOut` method
- Browser timer throttling - expired refreshToken does not work to get the new accessToken
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from angular-oauth2-oidc.