oauth2-client icon indicating copy to clipboard operation
oauth2-client copied to clipboard

Published 20 hours ago verified publisher icon badgateway

Support for implicit grant-type

Open evert opened this issue 5 years ago • 8 comments

evert avatar Mar 11 '19 21:03 evert

Isnt this as simple as just allowing to overwrite the response_type to token? This isn't allowed because there is a check in authorization-code.ts:90 that throw's an error when you overwrite that property.

codeit-ninja avatar Sep 21 '23 14:09 codeit-ninja

That's one of the things that needs to be done, but it should be in a new implict.ts file. Also, it should support parsing the url when the user is redirected back.

I don't think I'll ever prioritize this because implicit is basically deprecated and considered insecure now. So if someone has a need for this, submit a PR with tests.

evert avatar Sep 21 '23 21:09 evert

Since when is is considered insecure? Twitch recommends it for client side applications for example.

codeit-ninja avatar Sep 22 '23 12:09 codeit-ninja

If I had to guess 2010 ?

evert avatar Sep 22 '23 15:09 evert

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#name-removal-of-the-oauth-20-imp

brockallen avatar Sep 22 '23 16:09 brockallen

For some context, OAuth2 and implicit came out at a time where CORS was not widespread, making authorization_code hard to do if you wanted to support every browser. It was also more common for people to not upgrade their browsers.

But that said I am cool with supporting implicit in this library for completeness and for servers that still support it. It's just unlikely I'll be the one to build it unless I'm required to integrate with something like twitch myself ;)

evert avatar Sep 22 '23 16:09 evert

@brockallen point taken, however, because this library aims to implement the oauth 2.0 spec, while the proposal is the 2.1 spec. I think it should be implemented. Because there are more services that use that flow besides twitch.

I forked the library and made some edits to allow for this flow. However, I just deleted the part where it doesn't allow to overwrite certain properties in the extraParams field. And that is probaly not the way to do it, but rather it should export a new class implementing that flow.

Maybe I have another look into it when I get a bit more time.

codeit-ninja avatar Sep 23 '23 02:09 codeit-ninja

Yes and just to be clear, I am down with having implicit support. Just not interested in writing it myself because it's on its way out for a while and should be considered legacy.

The OAuth 2.1 is really an accumulation of lessons learned in OAuth 2.0 in all the years it's been around. For the most part the experts and official resources have been coercing people away from implicit for many years.

evert avatar Sep 23 '23 02:09 evert