Support for authorization code flow

[b-wins]

Because of my application structure, I'm looking to use authorization code flow and pass the code to a backend server which will take over from there.

Does this library have any way to support that? Or ideas of a different one you played with?

Thanks,

B Wins

[bechhansen]

Hi

There already exit an issue about this topic. #19

I have implemented a solution for supporting authorization code flow.
There is a pull request for it, #195, which have been waiting for approval since December 2017.

@manfredsteyer, any plans for merging PR's anytime soon?

[pokkia]

+1

[dar88rm]

+1

[pmartella]

+1

[darbio]

+1 - would be good to get this PR integrated

[manfredsteyer]

Sorry, I don't manage to support such many variation. I will focus on Implicit Flow which is the most suitable one for browser-based SPA.

Feel free to fork this library for other flows.

[bechhansen]

Hi

I think this great library need to include the authorization code flow to be complete, and I think its sad it can’t be part of this package. I personally prefer to use the authorization code flow as I think the silent refresh mechanism of the implicit flow is a dirty hack.

I have forked this repository and added support for the authorization code flow. PKCE is currently not implemented.

Go check it out at https://www.npmjs.com/package/angular-oauth2-oidc-codeflow

(Name, versioning, structure, etc. might change in the future)

[gentunian]

Sorry, I don't manage to support such many variation. I will focus on Implicit Flow which is the most suitable one for browser-based SPA.

Feel free to fork this library for other flows.

The fact that is the most used does not invalidate that is the more insecure way of doing this.

Please have a read on these links, from https://oauth.net/2/grant-types/implicit/

It is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely). In the time since the spec was originally written, the industry best practice has changed to recommend that public clients should use the authorization code flow with the PKCE extension instead.

ory hydra is a complete implementation of oauth2 RFC authorization server based on best practices and security focused:

https://www.ory.sh/oauth2-for-mobile-app-spa-browser

[RFIhism]

Hi bechhansen!
I want to build an angular 7 web aplication protected with OAuth2-oidc-Authorization code flow,i'm traying to use your project but it is the same of manfredsteyer I mean it is implimented with the implicit-flow?

[RFIhism]

Hi @bechhansen !
I want to build an angular 7 web aplication protected with OAuth2-oidc-Authorization code flow,i'm traying to use your project but it is the same of manfredsteyer I mean it is implimented with the implicit-flow?

[bechhansen]

Hi @bechhansen !
I want to build an angular 7 web aplication protected with OAuth2-oidc-Authorization code flow,i'm traying to use your project but it is the same of manfredsteyer I mean it is implimented with the implicit-flow?

Hi @RFIhism
My project is a fork of this one, but I have added support for authorization code flow.
Recently manfredsteyer have uttered interest in merging the authorization code flow implementation back to the upstream branch. It has not happened yet though. Currently I'm not doing any work on my fork as I am not using it at the moment.

[RFIhism]

Hi @bechhansen !
Thank you for your response. I understand and I wich that @manfredsteyer merge the authorization code flow to the upstream branch. But I want know if your fork project works correctly
with the authorization code flow? Because je l'ai besion at the moment when I'm working in this flow.

[bechhansen]

Hi @bechhansen !
Thank you for your response. I understand and I wich that @manfredsteyer merge the authorization code flow to the upstream branch. But I want know if your fork project works correctly
with the authorization code flow? Because je l'ai besion at the moment when I'm working in this flow.

It should work. I have currently a solution running using it. PKCE is currently not implemented though.

[RFIhism]

In my project,I Don't need to use the PKCE when I'm developping a web application with angular 7 and my server run in HTTPs(are secured). please can i take a look to your solution when can help me. Thanks a lot for your interest and your help.

[bechhansen]

In my project,I Don't need to use the PKCE when I'm developping a web application with angular 7 and my server run in HTTPs(are secured). please can i take a look to your solution when can help me. Thanks a lot for your interest and your help.

Sorry, my app is not public so I can not share it. Also I might be about to stop using the library as I'm not happy with my IDP (Amazon Cognito).

Have a look at the example at https://github.com/bechhansen/angular-oauth2-oidc. This is pretty much how I use the library.

[RFIhism]

Hi @bechhansen !

Thanks for your response. I looked your fork but you still use the implicit flow also! When you are difined it in the file "oauth-service.ts" #1066

[bechhansen]

Hi @bechhansen !

Thanks for your response. I looked your fork but you still use the implicit flow also! When you are difined it in the file "oauth-service.ts" #1066

@RFIhism the implicit flow is still available in the fork, but it is extended with functionality for code flow.
At the time I implemented it, the goal was to have it merged to the upstream branch. The pull-request was later rejected though.