Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2 Implicit flow #2

Closed
IntranetFactory opened this issue Feb 28, 2021 · 5 comments
Closed

OAuth2 Implicit flow #2

IntranetFactory opened this issue Feb 28, 2021 · 5 comments
Labels
enhancement New feature or request

Comments

@IntranetFactory
Copy link

It seems that the implicit flow isn't implemented. Do you have any plans to add that as well? That just became a blocker for our pm migration.
@AnWeber
Copy link
Owner

AnWeber commented Feb 28, 2021

Currently, the implicit flow is not implemented. It would be helpful if you give me a description, how this is used (response_code id_token vs. token). In my current environment, I do not use this flow. I need to build up a valid test.

@AnWeber AnWeber added the enhancement New feature or request label Feb 28, 2021
@IntranetFactory
Copy link
Author

Implicit flow doesn't use the secret, provide only an access_token (but no refresh token). I'll prepare some information what should probably be added/changed to support it.

@IntranetFactory
Copy link
Author

I think it's enough to change the response type to token e.g. https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=token&state=dev&client_id=0c1d9732-466e-458f-85d7-260e448831a8&scope=openid%20profile%20email%20User.Read&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback. After sign in a redirect to http://localhost:3000/callback#access_token=XXX&token_type=Bearer&expires_in=3599&scope=email+openid+profile+User.Read&state=dev&session_state=beacc8af-a36a-46f7-bf0e-3d255d2ea83d happens (where xxx is the opaque token value). The parameters are provided after the # so they are not send to the server. I think that adding an AJAX request to the page /callback sending the hash parameters to the extension server should be enough to support the implicit flow.

The token can then be send in the Bearer header to request e.g. GET https://graph.microsoft.com/v1.0/me

I've setup an AAD Test App

local_authorizationEndpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize
local_tokenEndpoint=https://login.microsoftonline.com/common/oauth2/v2.0/token
local_clientId=0c1d9732-466e-458f-85d7-260e448831a8
local_scope=openid profile email User.Read

From my understanding it's secure to share that information, as it only allows an user to request a token for this own account. I don't need to share the secret, and there is no risk to loose the related refresh token.

AnWeber added a commit that referenced this issue Mar 4, 2021
@AnWeber
feat: implicit flow added #2
69d6ba4
@AnWeber
Copy link
Owner

AnWeber commented Mar 4, 2021

I released a new version with implicit flow. Can you please test.

@IntranetFactory
Copy link
Author

Great work, from my pov oauth2 support is now perfect.

@woolfas woolfas mentioned this issue Mar 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@IntranetFactory @AnWeber