oauth2-client
oauth2-client copied to clipboard
Support for implicit grant-type
Isnt this as simple as just allowing to overwrite the response_type
to token
? This isn't allowed because there is a check in authorization-code.ts:90
that throw's an error when you overwrite that property.
That's one of the things that needs to be done, but it should be in a new implict.ts
file. Also, it should support parsing the url when the user is redirected back.
I don't think I'll ever prioritize this because implicit is basically deprecated and considered insecure now. So if someone has a need for this, submit a PR with tests.
Since when is is considered insecure? Twitch recommends it for client side applications for example.
If I had to guess 2010 ?
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#name-removal-of-the-oauth-20-imp
For some context, OAuth2 and implicit came out at a time where CORS was not widespread, making authorization_code
hard to do if you wanted to support every browser. It was also more common for people to not upgrade their browsers.
But that said I am cool with supporting implicit in this library for completeness and for servers that still support it. It's just unlikely I'll be the one to build it unless I'm required to integrate with something like twitch myself ;)
@brockallen point taken, however, because this library aims to implement the oauth 2.0 spec, while the proposal is the 2.1 spec. I think it should be implemented. Because there are more services that use that flow besides twitch.
I forked the library and made some edits to allow for this flow. However, I just deleted the part where it doesn't allow to overwrite certain properties in the extraParams
field. And that is probaly not the way to do it, but rather it should export a new class implementing that flow.
Maybe I have another look into it when I get a bit more time.
Yes and just to be clear, I am down with having implicit support. Just not interested in writing it myself because it's on its way out for a while and should be considered legacy.
The OAuth 2.1 is really an accumulation of lessons learned in OAuth 2.0 in all the years it's been around. For the most part the experts and official resources have been coercing people away from implicit for many years.