-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Example of implicit grant? #81
Comments
Also, there doesn't seem to be anything corresponding to getGrantType('authorization_code')->checkAuthoriseParams() for implicit grants. Should we continue calling that, even though it's on the wrong class? |
There is an undocumented (and untested) Implicit grant in the library which you can use. Can I ask why you need the implicit grant? I strongly recommend that you avoid it |
That's what I've been using -- I just didn't realize that it was untested. I'm using it because my client is a JavaScript app, with no server. So there's no place to store a "client secret". My understanding is that implicit grants are the way to go with browser-only apps. |
That's correct however please read this if you haven't already https://github.com/php-loep/oauth2-server/wiki/Which-OAuth-2.0-grant-should-I-use%3F#implicit-grant-section-42 |
Did you get this working @jacobweber? I have not been able to get the Implicit grant to work yet and noticed the same question you posed regarding checkAuthoriseParams(). So naturally, getGrantType('implicit')->checkAuthoriseParams() fails. |
Yes, I have it working. I use getGrantType('authorization_code')->checkAuthoriseParams(). |
@jacobweber, did you have to do anything else? When I leave authorization_code in the that line I get something back, but it's not the expected format for implicit. It sends me to the redirect URL but it's sending me back with an authcode rather than a token. It also appears to be creating an authcode in the DB rather than a token. Did you have to add logic to your authorise() function to handle the implicit requests differently? |
Basically, at the point where the example generates an authorization code, I do something like this: if ($params['response_type'] === 'code') {
// Generate an authorization code
[...]
} else if ($params['response_type'] === 'token') {
$params["grant_type"] = "implicit";
$response = $server->issueAccessToken($params);
return Redirect::to(
League\OAuth2\Server\Util\RedirectUri::make($params['redirect_uri'],
array(
"access_token" => $response["access_token"],
"token_type" => "bearer",
"state" => isset($params['state']) ? $params['state'] : ''
), "#")
);
} |
Cool that's what I figured I was missing. Makes total sense. Thanks @jacobweber ! |
Do you have an example of the recommended way to use implicit grants with this server?
It seems like most of the authorization_code example in https://github.com/php-loep/oauth2-server/wiki/Developing-an-OAuth-2.0-authorization-server can be used. However, there are two points where I'm a little confused about the best approach:
The text was updated successfully, but these errors were encountered: