passport-oauth2 icon indicating copy to clipboard operation
passport-oauth2 copied to clipboard

Published 20 hours ago verified publisher icon jaredhanson

adding responseType as parameter

Open jeffersonpenna opened this issue 8 years ago • 5 comments

I've got cases where the response_type is different from 'code', so I made a modification that leaves 'code' as default, but allows the user to enter the desired type of response_type.

jeffersonpenna avatar Feb 16 '17 13:02 jeffersonpenna

Coverage Status

Coverage remained the same at 100.0% when pulling 783d656a5f41809447b4cb4caa2ae930020f0d10 on jeffersonpenna:master into a02839afb8d15f7d283ae09167973e4d22e8faf8 on jaredhanson:master.

coveralls avatar Feb 16 '17 13:02 coveralls

Merged in https://github.com/passport-next/passport-oauth2

rwky avatar Jul 07 '18 15:07 rwky

What response_type type do you need to set other than code? The authorization code flow is the one specified by the OAuth 2.0 specification, and any other response_type is likely to have a far different protocol (and thus not be compatible anyway).

(Similar to #107)

jaredhanson avatar Mar 15 '19 22:03 jaredhanson

What response_type type do you need to set other than code?

OpenID Connect hybrid flows would use code id_token or code id_token token, and would (in theory) be compatible with OAuth2 for the most part.

kara-ryli avatar Mar 16 '19 04:03 kara-ryli

OpenID Connect also introduces a number of other required checks (nonce, etc), that would not be handled by a base OAuth 2 strategy, such as this. That might lead to subtle security concerns, if you set code id_token or code id_token token and the strategy then does not also do the additional nonce checking and the like.

Using an OpenID Connect specific strategy would be more appropriate than overriding the grant_type.

jaredhanson avatar Mar 16 '19 17:03 jaredhanson