Oidc-client-js: Error: OpenID Connect hybrid flow is not supported
After updating from v1.5.4 to v1.6.1, where I wouldn't expect any breaking changes as it's not a new major version, and according to the changelog there are no breaking changes, my authentication stopped working.
In the console, I have the following error:
What is this about? Is it up to the server to fix it or up to the client implementation? What needs to be fixed to solve this?
I'd appreciate any help to solve this. For now, I've locked the version to v1.5.4.
julmot
All 13 comments
It never supported hybrid flow. "id_token token" and "code" flow are supported.
brockallen
on 11 Jan 2019
@brockallen Thanks for your reply. I've looked at the code and what I'm passing to the authentication request within the "response_type" is: code id_token token. According to your reply, this should be valid.
If this is the case, is it a backend server issue? And why does this error appear when changing the minor level of oidc-client?
Thanks for any help!
julmot
on 14 Jan 2019
No, that's hybrid. Only "id_token token" or "code" is supported.
brockallen
on 14 Jan 2019
@brockallen I've doubled checked and unfortunately I can't get the authentication to work with either id_token token OR code, only with both code id_token token.
Therefore, my question is where is the following documented?
It never supported hybrid flow. "id_token token" and "code" flow are supported.
Is it correct, that if this doesn't work, action on the IdentityServer is necessary?
Thanks in advance.
julmot
on 15 Jan 2019
What token server are you using?
brockallen
on 15 Jan 2019
@brockallen We're using Identity Server 3
julmot
on 15 Jan 2019
If you want to use code flow in IS3, then you also need to enable PKCE in the client config. I don't recall if we had a flag in IS3 to not require client secrets, so you might also need to set a dummy client secret... i don't know if i tested with that, so perhaps that's the issue? check the IS3 logs.
brockallen
on 15 Jan 2019
I had the same problem as you @julmot .
Before it was supported hybrid flow by oidc-client-js
https://github.com/IdentityModel/oidc-client-js/commit/10b58d7d7f21df0d7a6df27a6dd9799679b28361
But for everything there is an explanation:
https://brockallen.com/2019/01/03/the-state-of-the-implicit-flow-in-oauth2
josuedallagnese
on 18 Jan 2019
Such breaking change should definitely be described in Release Notes! I have as well used response_type: "code id_token" in version 1.5.3, but now it is not supported anymore.
ismarslomic
on 1 Feb 2019
There was no released version that ever supported hybrid flow, thus there's no breaking change. Why do you all think it did? Just because there was a commit somewhere? Check the features for the tagged versions.
brockallen
on 1 Feb 2019
@brockallen version 1.5.3 includes support of hybrid flow where it is possible to set response_type: "code id_token". Not sure what you define as "released version", but for me as the user of this (very nice) library, as long as I can find an released npm package version, it is released.
ismarslomic
on 8 Feb 2019
But there was no code in the library in 1.5.3 to process the authorization code returned. There was no code that connected to the token endpoint to exchange the code for an access token.
Are you saying that you used "code id_token" and then you wrote the code to process the code coming back?
brockallen
on 8 Feb 2019
I might be wrong, but I think what was happening is that this library never previously had any support for the "code" response_type parameter, but now that it does it is interfering with the fact that someone might have been using it that way. Since hybrid was never something this specifically had support for (despite the fact that you could misuse it to make hybrid requests), then I can't really help you on this.
Given that, I am closing this. I'm sorry that with the new features it changes how you wanted to use this library.
brockallen
on 10 Feb 2019
Related issues
slug56
路
4Comments
mode777
路
3Comments
LEW21
路
4Comments
wsimf
路
4Comments
StephenRedd
路
5Comments