You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi guys, I have a question about implicit flow. I'm a little confused because I can see that other people tried to use this flow on /token endpoint and failed. And it was said that your library doesn't support public clients. But actually implicit flow doesn't use /token endpoint. It's based on request to /auth with parameter "response_type" set to "token".
You are using friendsofsymfony/oauth2-php library which is supporting this flow and the only check that it's doing is checking if storage implements IOAuth2GrantImplicit. You added this interface to OAuthStorage and with this setup I guess it's always possible for every client with "authorization_code" grant type enabled to add "response_type=token" and use implicit flow.
Is there any way to disable it that I can't see or every client by default has implicit flow enabled? Because that doesn't look like secure default configuration.
The text was updated successfully, but these errors were encountered:
Hi guys, I have a question about implicit flow. I'm a little confused because I can see that other people tried to use this flow on /token endpoint and failed. And it was said that your library doesn't support public clients. But actually implicit flow doesn't use /token endpoint. It's based on request to /auth with parameter "response_type" set to "token".
You are using friendsofsymfony/oauth2-php library which is supporting this flow and the only check that it's doing is checking if storage implements IOAuth2GrantImplicit. You added this interface to OAuthStorage and with this setup I guess it's always possible for every client with "authorization_code" grant type enabled to add "response_type=token" and use implicit flow.
Is there any way to disable it that I can't see or every client by default has implicit flow enabled? Because that doesn't look like secure default configuration.
The text was updated successfully, but these errors were encountered: