New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth 2.0/OIDC Access Token Retrieval Support #476
OAuth 2.0/OIDC Access Token Retrieval Support #476
Conversation
DeepCode's analysis on #b0346a found:
π¬ This comment has been generated by the DeepCode bot, installed by the owner of the repository. The DeepCode bot protects your repository by detecting and commenting on security vulnerabilities or other critical issues. |
Hey @reefqi037, TravisBuddy Request Identifier: b18bac80-315a-11ea-aacd-b3fcdaf4a164 |
Hey @reefqi037, TravisBuddy Request Identifier: b18b1040-315a-11ea-aacd-b3fcdaf4a164 |
Hey @reefqi037, TravisBuddy Request Identifier: 34128120-3164-11ea-aacd-b3fcdaf4a164 |
Hey @reefqi037, TravisBuddy Request Identifier: b66ae400-3173-11ea-aacd-b3fcdaf4a164 |
@reefqi037 I did few refactoring to |
@liyasthomas Yeah I have seen it and made some tests. No π found at the moment. All good! π |
Thanks for the quick response |
No problem! |
While I really appreciate your work (I'm just about to give it a try) I disagree with what you said about Authorization Code Flow + PKCE being the only possible flow. In my understanding, the reason you can't use a client secret in usual SPAs is that you would have to embed it in the code, so it would be accessible by the public, as you said. In case of Postwoman, however, there is not that one client secret, but each user could add her own and save it client-side. Nobody else will ever see it. Should work perfectly fine. |
This PR adds OAuth2.0/OIDC Access Token retrieval function to Postwoman π
Main Feature
With this feature, OAuth 2.0 access token can be retrieved directly from inside Postwoman.
Since Postwoman is a web-based SPA, it have no way to hide client secret used in the normal OAuth 2.0 flows. Therefore, only Authorization Code Flow + PKCE is implemented.
Additional Features
Screenshots
Main UI
Access Token Management UI
Token Request Management UI
Limitations
There should be room for improvements but for the time being, I think the core functions here should works ( tested with Okta and Auth0 as Service Providers ). Feel free to suggest and improve π¨βπ» π©βπ» π
fixes #337