Daniel Nord

New guidance in using implicit grant https://auth0.com/blog/oauth2-implicit-grant-and-spa/

> If the API are secured with the same middleware used to enforce web sign on, they are likely to return a 302 when the session cookie expires. 302s aren't...

Hm, wouldn't that be exactly how the standard non-API type of URL is handled? I have to check the code to remember exactly. :)

The 307 was chosen so that the method would not be changed by the redirect, but when thinking of it, it is probably not a problem because if you want...

We could try changing for 302 Redirect and see how it behaves, especially for AJAX calls. The 403 forbidden handling of API calls was done to make it cleaner for...

Yup, that was the way I was thinking it would work. Is there a case where a AJAX client would need to distinguish between a redirect for auth, and a...

If you want to have a go at it, create a PR that removes the special response handling of API types, and both API and normal clients get the same...

Kool, I added a .editconfig file from my IDEA to the 2.0-rc1 branch. I use default IDEA settings for code style. And also added you as a collaborator to the...

@KarolisL the logic for handling authz and authn is implemented as two state machines, https://github.com/dniel/traefik-forward-auth0/blob/2.0-rc1/src/main/kotlin/dniel/forwardauth/domain/authorize/service/AuthorizerStateMachine.kt for authorization and specifically its the lines https://github.com/dniel/traefik-forward-auth0/blob/2.0-rc1/src/main/kotlin/dniel/forwardauth/domain/authorize/service/AuthorizerStateMachine.kt#L176-L180 that handles the special case of if...

yeah. agree, that SPA seems like a good start for a SPA for testing