First, the legs refer to the roles involved. A typical OAuth flow involves three parties: the end-user (or resource owner), the client (the third-party application), and the server (or authorization server). So a 3-legged flow involves all three. The term 2-legged is used to describe an OAuth-authenticated request without the end-user involved. Basically, it is … Read more
I may have found a way much simpler to handle this : use axios.interceptors.response.eject() to disable the interceptor when I call the /api/refresh_token endpoint, and re-enable it after. The code : /** * Wrap the interceptor in a function, so that i can be re-instantiated */ function createAxiosResponseInterceptor() { const interceptor = axios.interceptors.response.use( (response) => … Read more
Please see https://stackoverflow.com/a/71491500/1213346 for a “proper” solution. This answer is just an ugly workaround that the community seems to like. … Here is a cringy workaround for this situation: Replace urn:ietf:wg:oauth:2.0:oob with http://localhost:1/ in the code posted in the question. This makes the flow go through, my browser gets redirected and fails and I get … Read more
Yes, it is possible to use OAuth2 without a callback URL. The RFC6749 introduces several flows. The Implicit (now deprecated[1]) and Authorization Code grant types require a redirect URI. However the Resource Owner Password Credentials (deprecated as well[1]) grant type does not. Since RFC6749, other specifications have been issued that do not require any redirect … Read more
In the new Google API Console, configure your OAuth2.0 authorized origins from Your Project > APIs & auth > Credentials You might need to add a new Client ID specifically for a web application (I did because the default was for AppEngine) Create Client ID > Web Application > Authorized Javascript origins If you are … Read more
The Implicit Grant flow (the one you’re referring to as User-Agent Flow) is exactly the way to go: The implicit grant is a simplified authorization code flow optimized for clients implemented in a browser using a scripting language such as JavaScript. To understand the flow, the documentation from Google for client-side applications is a really … Read more
Most of the time, a redirect is okay even for SPA because users don’t like to put their X service credentials on any other website than X. An alternative will be to use an small popup window, you can check what Discourse does. IMHO a redirect is better than a popup. Google Some providers support … Read more
JWT (RFC7519) is just a compact way to safely transmit claims from an issuer to the audience over HTTP. JWT can be: signed (JWS – RFC7515) encrypted (JWE – RFC7516) signed then encrypted (this order is highly recommended). The whole JWS is the payload of the JWE encrypted then signed. It makes sense to encrypt … Read more