-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for public clients #266
Comments
We really need to have public clients or be able to pass the client_secret via SESSION so that we can use it in Javascript apps. |
if you are talking about api-first apps then proxy api is a choice |
I will look into this in following week or two... I know that lack of this feature is at least troublesome, but implementation would be something more than allowing |
Any progress on this issue? |
Also really interested by this issue, and more precisely by the possibility of customization of Implicit Grants. |
+1 for this Support for |
+1 for solving this issue. Not having public clients makes this bundle unusable for any front-end web app usage (Angular, Backbone, Ember..) |
@ivan-spoiledmilk A solution for your situation as @alanbem suggested would be to setup an OAuth proxy API. Alex Bilbie has a nice article explaining this process. |
The article stinks, especially the cookie suggestion and using CSRF tokens again which are a pain in the ass when working with single page apps. Half of the article is about storing the client_secret we don't need with public clients. |
@alanbem @Cash2m with API proxy,
What is the progress of this issue @alanbem ? |
Yeah, but APIs are not consumed only by browsers.
Yes, why not. You can always leverage some caching techniques if performance is a concern.
No necessities here, only tip is to do it as much handy as its possible for your proxy/end-user scripts.
If you ask me, my stateful (session enabled, no cookies with encrypted credentials) proxy would call underlying API with different authorization strategy - no OAuth preferably. Just simple Another idea would be creating extension grant which needs only user_id or an email (again this could be pulled out of session by your proxy) to provide proper long-lived token. Everything behind the scenes of course - this token, as well as clint_id and secret, would never be visible by SPA. |
I am working on it.
@Spomky what do you think? |
The implicit grant type is designed for scripting language or native applications (which are public clients), However, the use of this grant type is not restricted to public clients (confidential clients -password clients- can use it). You are right: the documentation must be updated, not to discourage the implementation of this grant type, but
Regarding this issue, the implementation of public clients is not easy; the library oauth2-php is not designed to support multiple client types/sources. |
I'm working on a proxy as suggested above to solve the issue, but I'm having a little trouble forwarding to the TokenController: if by any chance, you could have a look at this related StackOverflow question, it would be really nice! Thanks! |
According to RFC6749 (section 2.3.1), the
I guess it could be fixed in library oauth2-php where This would allow omitting the
As for supporting multiple client types/sources, there is a paragraph in RFC6749 (section 2.1) which states:
so I feel like the way oauth2-php is designed would only require to create separate clients for public and confidential types. What do you think? |
Not having public clients makes the bundle almost unusable for JavaScript or desktop based apps.
The text was updated successfully, but these errors were encountered: