Implicit grant type supported? #76
Comments
|
People use the term implicit in two ways. 1, to describe fragment encoding the response The token response type has some security issues as it cannot be protected from interception via PKCE. The hybrid response types like "code id_token" are potentially useful for native apps and may get supported. We were discussing that last week. What are you looking for? Regards |
|
I am referring to Section 4.2 of RFC 6749. Based on my understanding of the RFC, I think I am referring to token response_type. From your comment above, it looks like you don't have plans to support it for security reasons. Is that correct? |
|
The "token" response type is not recommended for native apps. The problem is that custom scheme redirects may be intercepted by other than the intended target especially on iOS (it can happen on Android as well but the user is warned). That flow was intended for JavaScrypt clients executing in a browser and not for native applications. To set the best example I don't expect it to be supported in the AppAuth. Regards |
|
Thanks a lot for your quick response. |
|
I made some comments related to this in #75 - it would be possible to support in the library, but probably with some pretty onerous version restrictions (Android M and up) to guarantee any kind of security. I agree with John that code flows that grant refresh tokens are much better for native apps, particularly if the tokens granted through the implicit flow have short expirations. |
Question:
As far as I can see from the documentation, the implicit grant type for OAuth 2.0 does not seem to be supported yet. Is my understanding correct?
The text was updated successfully, but these errors were encountered: