Authorization Code Flow support #19
Comments
|
can you create a pull request? |
|
Is there a technical reason you want support for the authorization code flow? It was not designed for use with client side applications. According to the specification, the Authorization Code flow is suitable for Clients that can securely maintain a Client Secret between themselves and the Authorization Server. Angular apps are not able to maintain such a secret. |
|
Some OIDC Servers implement authorization code flow with shortlived refresh and id tokens. Keycloak (cf. https://keycloak.gitbooks.io/documentation/content/server_admin/topics/sso-protocols/oidc.html, js adapter code: https://github.com/keycloak/keycloak/tree/master/adapters/oidc/js/src/main/resources) would be an example of that. |
|
Yes, Code Flow for a SPA seems to be a gray zone and can be used safely. But it is not the indented way. I would prefere implicit flow with token refresh (which is possible without refresh_tokens by leveraging a well known hack). |
|
As the next version of this lib (lands i a few days) is supporting silent refresh with implicit flow there is IMHO no need for code flow for browser scenarios. When it comes to hybrid scenarios (cordova, ionic) it would make sense. I would accept PR on this and there is a pull request for hybrid flow which contains a lot of code that can be used when writing support for code flow. I would suggest to introduce a new method initCodeFlow(...) for this. |
manfredsteyer
added
the
feature-request
|
Oh, if anyone creates a PR for this, please have a look at the RFC about Code Flow and mobile apps. |
|
What do you thing about the Authorization Code Flow with PKCE for SPAs? (https://tools.ietf.org/html/rfc7636) |
|
If think, when we are implementing Code Flow we should also implement PKCE alongside b/c this is THE way to go for mobile apps/ hybrid apps. When it comes to web apps, I would prefer Implicit Flow + Silent Refresh. Do you have a current project where code flow + PKCE is needed? |
|
I'm not sure if we're going to use code flow with PKCE, yet. I'll get back to you when I know. If we're going to use it, I would absolutely be interested in contributing this addition. |
|
Cool, just reach out in case. |
|
+1 for Authorization Code Flow. |
|
+1 Authorization Code Flow |
|
Adding some context here, it seems like parts of "the industry" (hi there 👋) have moved on when it comes to using the implicit flow for SPAs:
So, to accommodate that, I'd +1 the request for authorization code flow.
Anyways, I'm not convinced that PKCE makes sense for SPAs. The crucial point in the App use case could be that the client (the app) can keep its state (including the challenge) a secret; or at least hidden from a malicious app on the same smartphone. I don't believe that this makes sense for an in-browser JS application. (But I might very well be missing something, not an expert.) |
|
You're right. PKCE does not make sense in the browser. When it comes to hybrid apps, we should have it. |
|
+1 for the Authorization Code Flow. Are there any plans for it? We were planning on use this library for our product here but now we hit a roadblock. |
|
+1 for the Authorization Code Flow. |
2 similar comments
|
+1 for the Authorization Code Flow. |
|
+1 for the Authorization Code Flow. |
|
I suppose @manfredsteyer wouldn't be blocking a code contribution... (nudge, nudge at y'all who want this so dearly 😉) |
|
Hi @manfredsteyer I'm about to implement support for authorization code flow for your library. In the github repository https://github.com/manfredsteyer/angular-oauth2-oidc the latest version is 3.0.1. Also |
|
@manfredsteyer also how do you build the library? |
|
+1 Authorization Code Flow |
|
+1 Authorization Code Flow |
|
@bechhansen Thx for taking care about this. I guess I've used git push and npm version minor && npm publish in the wrong order. That's why we have a gap here. But it should not matter and I will correct this soon. Regarding the build failure: It's about Angular 5. They don't support it to have ts files in the referenced package anymore. It was never indented to support this but by coincident it worked before. The quick workaround for this is to run it with the --aot flag. In this case this is still supported. npm start -- --aot |
|
I have added a pull request for this functionality for you to review: |
|
+1 Authorization Code Flow |
|
+1 for the Authorization Code Flow |
|
+1 for Authorization Code Flow |
|
+1 |
|
+1 for PKCE |
|
Hi I think this great library need to include the authorization code flow to be complete, and I think its sad it can’t be part of this package. I personally prefer to use the authorization code flow as I think the silent refresh mechanism of the implicit flow is a dirty hack. I have forked this repository and added support for the authorization code flow. PKCE is currently not implemented. Go check it out at https://www.npmjs.com/package/angular-oauth2-oidc-codeflow (Name, versioning, structure, etc. might change in the future) |
|
@bechhansen: Thanks for the PR and for the fork. Very appreciated. As mentioned in an other thread, I cannot support that much flows and so creating additional solutions/ forks seem to be the best way to meet all the different needs. |
|
I'm confused by all the requests for Auth Code Flow for SPAs. Having a long-lived refresh token in an SPA would seem like an exploitable security hole. Why should I prefer Auth Code over Implicit? What advantages does Auth Code provide? Is it limited to the fact that the access token is never passed over the URL (via the fragment) and instead only via body content? Or is there something else I am missing? |
|
According the new OAuth2 draft spec implicit flow MUST NOT be used any more for SPA |
|
@andifalk very very interesting. Too bad the library do not support Code flow ;-) |
|
+1 for the Authorization Code Flow. |
|
A fresh issue was opened in #470 (triggered by the newest RFC, so it seems appropriate IMO to start a fresh issue for it). |
|
+1 for the Authorization Code Flow. |
|
it's going to come. see #549 |
and others
When are you planning to add support for the Authorization Code Flow?
Should be reasonably easy given that you already implemented all logic for identity, access, and refresh tokens, including refreshing the access token with the refresh token - or am I missing something?
The text was updated successfully, but these errors were encountered: