Angular-oauth2-oidc: Code flow and PKCE, without oidc?
This is a more general question over how this library can be used. Can it be used for code flow with pkce, but without the openId part? My auth server is a django-oauth-toolkit server and only issues access tokens, it does not issue IdTokens.
With this config it tried to find the discovery document, however, without that final call it doesnt try to hit my server at all:
this.oauthService.redirectUri = window.location.origin + '/dashboard';
this.oauthService.issuer = 'http://localhost:8000/';
this.oauthService.clientId = 'spa';
this.oauthService.scope = 'read write';
this.oauthService.oidc = false; // ID_Token
this.oauthService.setStorage(sessionStorage);
this.oauthService.responseType = 'code';
this.oauthService.requireHttps = false;
this.oauthService.tokenValidationHandler = new JwksValidationHandler();
this.oauthService.loadDiscoveryDocumentAndTryLogin()
/ /login component
this.oAuthService.initCodeFlow()
Expected behaviour
Hit my django OAuth server with response type 'code' and redirects to server login template.
Desktop (please complete the following information):
- OS: OS 10.15.2
- Browser Chrome
- Version [e.g. 22]
godhar
All 3 comments
Not sure about the main question you're asking, but to the specifics I can comment:
Know that loadDiscoveryDocumentAndTryLogin() does two things:
- load disco document to get settings (e.g. public key for token signing) from IDServer
- _try_ login, which means it checks the address bar to see if a redirect just happened that left a code or a token in the hash fragment
It's a convenience overload that will not (by design) redirect users to sign in at all. As you noticed, you need the method you mentioned.
For implicit flow you can also check my (verbose) example login flow that explains how the lib can be used.
Hope that helps?
jeroenheijmans
on 27 Feb 2020
@jeroenheijmans - thanks for your comment.
Ok, so it handles the code/token upon redirect, that makes sense.
The DiscoveryDocument is what is a little mysterious, I do not seem to have this on the django server I have been given, which uses code flow and pkce but is not handling an openId layer, i.e it will not give me user_id, profile etc, only Jwt access/refresh tokens and it handles authentication.
My original question was two things:
- Can I skip Oidc with this library, I saw a boolean for it namely?
- Can I skip discoveryDocument and still do Oauth2 + pkce with this lib, since I don't seem to have the document on the server?
Essentially I want to use the library for two reasons:
- It's fairly well documented
- It handles token exchange and does most of the heavy lifting and redirects.
( ....but its quite hard to configure, for a beginner in SPA Oauth )
godhar
on 27 Feb 2020
I think you could do all that. Skipping the disco document (which i think you're missing as it is part of openid, i believe) is possible. I do see most people then use the NullValidationHandler because configuring jwks without disco is a pain.
jeroenheijmans
on 28 Feb 2020
Related issues
PandaaAgency
路
3Comments
phrouv
路
4Comments
bitbaggi
路
3Comments
jeroenheijmans
路
4Comments
zulander1
路
4Comments
Most helpful comment
I think you could do all that. Skipping the disco document (which i think you're missing as it is part of openid, i believe) is possible. I do see most people then use the NullValidationHandler because configuring jwks without disco is a pain.