Supporting the hybrid flow

[mukhtar]

I’m making use of this library and wanted to ask a little about support for the hybrid flow. I’ve read the issues that exist on this topic and I understand that the plan is not to support for this flow.

I have a couple of questions that I hope you can help me with.

1. Can you suggest any other libraries that are similar oidc-client-js that support the hybrid flow? I’e come across AppAuth-JS but this seems to target chrome apps and electron which my application is not (simple browser based web app).

2. How much work would be involved, in your opinion, to extend oidc-client-js to support hybrid flow? If I wanted to do this myself, are you able to point me in the right direction please?

[brockallen]

Hybrid flow is not designed for browser-based apps. Why do you want to use it for that scenario?

[mukhtar]

I think I was unclear when I said 'browser based'.

I'm working on two apps. One is a traditional web application where web pages are rendered server side and there is some element of client side logic. The other is more of SPA.

For the former, from what I can tell, it would be necessary for the server to be able to get the id and access tokens using the authorisation code, thus the hybrid flow would be useful. For the latter, the implicit flow would suffice.

From your experience, do you see this library (oidc-client) being used for traditional web apps where web pages are rendered server side? Is a client side openid connect library even necessary?

[brockallen]

From your experience, do you see this library (oidc-client) being used for traditional web apps where web pages are rendered server side

No, because it's specifically designed for client-side browser-based JS apps. If you want something server-side, then there are already tons of other OIDC frameworks for that.

[mukhtar]

Thanks. How much work would be involved, in your opinion, to extend oidc-client-js to support hybrid flow? If I wanted to do this myself, are you able to point me in the right direction please?

[brockallen]

No, sorry, I don't have the bandwidth. If you're looking to hire us for consulting services, or sponsor features then let us know.

[benpolinsky]

Perhaps this should be revisited: https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926

[NathanStrutz]

@mukhtar

Thanks. How much work would be involved, in your opinion, to extend oidc-client-js to support hybrid flow? If I wanted to do this myself, are you able to point me in the right direction please?

I bet you can do most of that by just cloning and reverting 10b58d7. 😃

[brockallen]

No. There's more validation to be performed, and supporting id_token on the front channel and then on the back channel adds complexity that I don't have time to consider.