-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
server: fixes for the implicit and hybrid flow #766
Conversation
Thanks for this PR.
|
Why don't we make the current CORS option encompass that.
opened #771 |
going to add a few inline comments then merge |
does this client use the userinfo_endpoint? we'll have to implement that too (which won't be impossible) #376 |
Yes userinfo_endpoint is the following call in the flow but it is optional, configurable with a flag (resulting in using claims from the id_token.profile only), thus having it implemented is not mandatory for this client. |
Accept the following response_type for the implicit flow: id_token token id_token And the following for hybrid flow code id_token code token code token id_token This corrects the previous behavior of the implicit flow, which only accepted "token" (now correctly rejected).
ea5db1f
to
f926d74
Compare
// Otherwise render the error to the user. | ||
// | ||
// TODO(ericchiang): Should we just always render the error? | ||
s.renderError(w, err.Status(), err.Error()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any reason why we should not just render the error always?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Part of the oauth2 spec is returning errors to the client https://tools.ietf.org/html/rfc6749#section-4.1.2.1
Accept the following response_type for the implicit flow:
And the following for hybrid flow
This corrects the previous behavior of the implicit flow, which
only accepted "token" (now correctly rejected).
cc @rithujohn191 @xeonx
@xeonx can you see if this branch works with your client?
closes #761