Oidc-client-js: Hybrid flow - for SPAs with backends

Created on 19 Aug 2017 · 4Comments · Source: IdentityModel/oidc-client-js

I think it'd be useful to add official support for the hybrid flow, where a Single Page App does the auth request/response steps with response_type="code id_token", and then sends the code to the backend service, so that the backend is able to obtain a confidential access token.

question

Source

LEW21

👍2

Most helpful comment

There is today a proliferation of SPA's and corresponding implementations of code flow/hybrid flow stuff with obscure implementations of popup's and sometimes build with suboptimal understanding of the protocols involved.
the oidc-client-js project is the only really trustworthy source, it would be great if this lib could serve as base for SPA specific versions for angular, react, vuejs....

paulvanbladel on 23 Aug 2017

👍5

All 4 comments

paulvanbladel on 23 Aug 2017

👍5

Hybrid flow is designed for server-side apps (and native apps if they also use PKCE). This library is specifically focused on implicit flow.

brockallen on 23 Sep 2017

Hi Brock,
Sure, I understand the focus and the lib is doing this exquisitely.

Just for my understanding, do you see the usage of hybrid/code flow in a SPA, but with a dedicated backend (in such a way the client secret is stored only server side and a server backend channel is used for exchanging code for a token with STS), as an anti-pattern/security concern ?

paulvanbladel on 24 Sep 2017

do you see the usage of hybrid/code flow in a SPA

Not really. If you were to do this, you would have a bootstrapping problem to securely make requests from the SPA to the server-side to then use the secret/RT/hybrid flow/etc.

brockallen on 24 Sep 2017

Was this page helpful?

0 / 5 - 0 ratings