-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: support OIDC implicit flow #256
Comments
+1 on implicit flow, although not all connectors will be able to implement this. Therefore it depends on the connector to allow this flow |
I just want to note that implicit flow does come at a cost b/c it is a less secure auth flow. If we implement we should consider putting behind a config flag. |
The use case I have: Use dex auth from my cli applications. In that case you have two choices:
Have I missed a way? |
Implicit flow is for clients who can't hide their client_secret (e.g. frontend only applications). OAuth2 / OpenID Connect are intended to be for browser based apps, but for CLI tools a setup could go like this:
You could get fancier if your client requests refresh tokens. Does this make sense? |
@ericchiang Oh yeah, that works as well. The only challenge that I see with this approach is that it does break the user flow and it does not work well via ssh on servers. I still agree that tokens are more secure then user credentials. |
Correct me if I'm wrong but I think you're referring to the "Resource Owner Password Grants" (grant_type=password), not the implicit flow. https://tools.ietf.org/html/rfc6749#section-4.3 I don't believe OpenID Connect allows this grant type. |
+1 on implicit flow. I really need the implicit flow to get my Angular app to work with dex. There's no safe way to store my client id and secret in the Angular app. SPAs like Angular apps are very popular these days. I believe the implicit flow will benefit a lot of people. |
This is now supported by dex, though we need to add a documentation for how to turn this on. |
@ericchiang where is the documentation for turning on implicit flow? |
@rithujohn191 I've tried setting I was specifically looking for documentation on configuring dex to support implicit flow for the OIDC spec |
@aryzle this is config field oauth2:
responseTypes: ["code", "token", "id_token"] But you're right, we don't document this. Will send a PR to do so. |
Fixed in #980 |
👍 thanks! |
see #255
The text was updated successfully, but these errors were encountered: