Missing Resource Owner Password Credentials flow

[alex94cp]

According to the rfc, the ROPC flow can also be used when there is a high degree of trust between the resource owner and the client, as it's the case with a first-party app, where the use of an implicit flow would hurt UX. OAuth2-client lacks this ROPC flow.

[prayerslayer]

Yup, correct. I’ll see when I have some time to implement it.

I’m curious: Do you intend to use the library in the browser or on the server?

[alex94cp]

In the browser, it's a simple React app. I plan to go isomorphic in the
future though.

Álex Puchades
El 11/8/2015 7:59, "Nikolaus Piccolotto" notifications@github.com
escribió:

Yup, correct. I’ll see when I have some time to implement it.

I’m curious: Do you intend to use the library in the browser or on the
server?

—
Reply to this email directly or view it on GitHub
#3 (comment)
.

[prayerslayer]

Aren’t you exposing your client credentials (including the secret) then?

[alex94cp]

Nope. OAuth2 distinguishes two client types: confidential and public (see here). Public clients are not required to provide its client_secret (as it's the case for an ajax app). I'm using this passport strategy on the server to protect the token endpoint.

[prayerslayer]

Ah, so you can do the ROPC flow with non-confidential clients as well. I kind of overread that.

[LappleApple]

@prayerslayer Do you still want this enhancement? If so, can we open it up to "Help Wanted"?

[prayerslayer]

Yes, do want. It's unlikely I get to this myself though, so I added the help label.

[LappleApple]

@prayerslayer Great!