Some experts say that using password flow is unsafe
https://tools.ietf.org/html/rfc6749#section-10.7
why bitwarden use password flow?
Which option do you propose?
@kspearrin bitwarden project has identity project
why do not use implict flow?
The implicit flow requests tokens without explicit client authentication, instead using the redirect URI to verify the client identity. Because of this, refresh tokens are not allowed, nor is this flow suitable for long lived access tokens. From the client application's point of view, this is the simplest to implement, as there is only one round trip to the OpenID Connect Provider.
https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Flows
This wouldn't work. We need long term sessions in Bitwarden clients. Users don't want to auth with the server every time they use the app.
Hi @kspearrin
The Scott author has a article about use password flow
Isso n茫o funcionaria. Precisamos de sess玫es de longo prazo nos clientes do Bitwarden. Os usu谩rios n茫o querem autentica莽茫o com o servidor toda vez que usam o aplicativo.
Use silent refresh
@kspearrin
Auth Code Flow + PKCE(PROOF Key for Code Exchange) is default in asp.net 3.X
Most helpful comment
Hi @kspearrin
The Scott author has a article about use password flow
https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications
https://www.scottbrady91.com/OpenID-Connect/Silent-Refresh-Refreshing-Access-Tokens-when-using-the-Implicit-Flow