You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The implicit flow is less secure than the authorization code flow, neither the spec or any other resources attempt to hide that.
A potential problem revolves around mistakenly using OAuth2 not just for authorization, but for authentication as well.
An attack is described in http://homakov.blogspot.com/2012/08/oauth2-one-accesstoken-to-rule-them-all.html
and can be resolved by implementing an additional call to validate the access token after it has been received (send the token and a client id, get a status
and a list of scopes back).
I think it would make sense to have a note in the README about this.
As the people providing the library (and Drupal integration in my case), we are responsible if people shoot themselves in the foot with it.
Moving bshaffer/oauth2-server-php#81 to here
From @bojanz:
The text was updated successfully, but these errors were encountered: