Abp: Remove client_secret from the angular and ReactNative application.

Created on 7 Jul 2020  路  2Comments  路  Source: abpframework/abp

There is definitely no good way to handle secrets on the client side. The client is not under your control and can never be trusted. This requires the change in the default implementation of the login in angular and ReactNative projects.

https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-00#section-6.2

It will be great if Authorization Code Flow is used instead of client_credentials or password flow.

I think this will improve the security of client applications.

I'm still exploring the abp.io and loving it. Thanks for this amazing project.

feature ui-angular
Source
picture antosubash

Most helpful comment

We changed to authorization code flow.. Account module will support both of authorization code and resource owner password flows. Authorization code will be default for new applications and we will create a simple guide to change for existing apps (very easy).

picture hikalkan on 12 Aug 2020
👍2 🚀1

All 2 comments

We are using resource owner password flow. client has no permission itself. So, without a valid username/pass, the client name/secret does nothing.
However, we will be working on the other flows in the next versions.

hikalkan picture hikalkan on 26 Jul 2020

We changed to authorization code flow.. Account module will support both of authorization code and resource owner password flows. Authorization code will be default for new applications and we will create a simple guide to change for existing apps (very easy).

hikalkan picture hikalkan on 12 Aug 2020
👍2 🚀1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ugurozturk picture ugurozturk  路  3Comments
derily picture derily  路  3Comments
hikalkan picture hikalkan  路  3Comments
mehdihadeli picture mehdihadeli  路  3Comments
hitaspdotnet picture hitaspdotnet  路  3Comments