oauth2-client-js
oauth2-client-js copied to clipboard
zalando-stups
Missing Resource Owner Password Credentials flow
According to the rfc, the ROPC flow can also be used when there is a high degree of trust between the resource owner and the client, as it's the case with a first-party app, where the use of an implicit flow would hurt UX. OAuth2-client lacks this ROPC flow.
Yup, correct. I’ll see when I have some time to implement it.
I’m curious: Do you intend to use the library in the browser or on the server?
In the browser, it's a simple React app. I plan to go isomorphic in the future though.
Álex Puchades El 11/8/2015 7:59, "Nikolaus Piccolotto" [email protected] escribió:
Yup, correct. I’ll see when I have some time to implement it.
I’m curious: Do you intend to use the library in the browser or on the server?
— Reply to this email directly or view it on GitHub https://github.com/zalando/oauth2-client-js/issues/3#issuecomment-129715778 .
Aren’t you exposing your client credentials (including the secret) then?
Nope. OAuth2 distinguishes two client types: confidential and public (see here). Public clients are not required to provide its client_secret (as it's the case for an ajax app). I'm using this passport strategy on the server to protect the token endpoint.
Ah, so you can do the ROPC flow with non-confidential clients as well. I kind of overread that.
@prayerslayer Do you still want this enhancement? If so, can we open it up to "Help Wanted"?
Yes, do want. It's unlikely I get to this myself though, so I added the help label.