Example of implicit grant?

[jacobweber]

Do you have an example of the recommended way to use implicit grants with this server?

It seems like most of the authorization_code example in https://github.com/php-loep/oauth2-server/wiki/Developing-an-OAuth-2.0-authorization-server can be used. However, there are two points where I'm a little confused about the best approach:

• In action_authorise, where it says "Generate an authorization code", this seems like the right place to check the grant type. Should we just check for Session::get('response_type') === "token", and if it's set, call issueAccessToken instead of newAuthoriseRequest?
• If so, the expected argument to issueAccessToken doesn't seem right. It's looking for an array of POST fields. But in this case, you won't be making a separate POST request for the access token. So it will fail because there's no grant_type=implicit field. Of course, I can manually construct this array, and pass it in to issueAccessToken myself. But that and the other required parameters should probably be documented, since it's not part of the OAuth2 spec.

[jacobweber]

Also, there doesn't seem to be anything corresponding to getGrantType('authorization_code')->checkAuthoriseParams() for implicit grants. Should we continue calling that, even though it's on the wrong class?

[alexbilbie]

There is an undocumented (and untested) Implicit grant in the library which you can use.

Can I ask why you need the implicit grant? I strongly recommend that you avoid it

[jacobweber]

That's what I've been using -- I just didn't realize that it was untested.

I'm using it because my client is a JavaScript app, with no server. So there's no place to store a "client secret". My understanding is that implicit grants are the way to go with browser-only apps.

[alexbilbie]

That's correct however please read this if you haven't already https://github.com/php-loep/oauth2-server/wiki/Which-OAuth-2.0-grant-should-I-use%3F#implicit-grant-section-42

[jakelehner]

Did you get this working @jacobweber? I have not been able to get the Implicit grant to work yet and noticed the same question you posed regarding checkAuthoriseParams(). So naturally, getGrantType('implicit')->checkAuthoriseParams() fails.

[jacobweber]

Yes, I have it working. I use getGrantType('authorization_code')->checkAuthoriseParams().

[jakelehner]

@jacobweber, did you have to do anything else? When I leave authorization_code in the that line I get something back, but it's not the expected format for implicit. It sends me to the redirect URL but it's sending me back with an authcode rather than a token.

It also appears to be creating an authcode in the DB rather than a token.

Did you have to add logic to your authorise() function to handle the implicit requests differently?

[jacobweber]

Basically, at the point where the example generates an authorization code, I do something like this:

if ($params['response_type'] === 'code') {
    // Generate an authorization code
    [...]
} else if ($params['response_type'] === 'token') {
    $params["grant_type"] = "implicit";
    $response = $server->issueAccessToken($params);
    return Redirect::to(
        League\OAuth2\Server\Util\RedirectUri::make($params['redirect_uri'],
        array(
            "access_token" => $response["access_token"],
            "token_type" => "bearer",
            "state" => isset($params['state']) ? $params['state'] : ''
        ), "#")
    );
}

[jakelehner]

Cool that's what I figured I was missing. Makes total sense.

Thanks @jacobweber !