OAuth2.0 Implicit Grant flow Support?

[zhenhaolei]

Hi,

We implemented OAuth2.0 implicit grant flow to use ResponseTypeValues.TOKEN in AuthorizationRequest builder. However, in fromUri method of AuthorizationResponse, it only parses query parameters but not URI fragment "#".

See more details: http://stackoverflow.com/questions/16733863/oauth2-0-implicit-grant-flow-why-use-url-hash-fragments

We're wondering if it's something you could support or if there's anything you'd suggest us to do if we want to support it? A quick change we could think is to replace "#" with "?" locally in fromUrl method for this flow, something like:

if (mRequest.responseType.equals(ResponseTypeValues.TOKEN)) {
     String url = uri.toString();
     url = url.replace("#", "?");
     uri = Uri.parse(url);
}

Thank you for your help and providing this great project!

[iainmcgin]

Hi there,

We have an enhancement issue open for supporting the hybrid / implicit flow - see #75. Another user of the library made some modifications to their own fork to support this, but we're not prioritizing it for the official library as we feel, in most cases, it is not suitable for use with mobile apps. We strongly recommend using a code authorization flow wherever possible to avoid having to re-auth in your app using AppAuth every time the access token expires.

[zhenhaolei]

Thanks @iainmcgin , I missed that issue. This is very helpful!