Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What kind of auth server does one need for code flow? #858

Open
sebastiangug opened this issue Jun 8, 2020 · 2 comments
Open

What kind of auth server does one need for code flow? #858

sebastiangug opened this issue Jun 8, 2020 · 2 comments
Labels
docs Issues that involve improving or adding documentation.

Comments

@sebastiangug
Copy link

sebastiangug commented Jun 8, 2020
edited by jeroenheijmans
Loading

I can't seem to get the code flow to work as by design it asks for the secret which has no job being on the client.

How exactly is the interaction between the angular SPA and the backend indended to be?

The current docs are quite confusing on this. Any chance we could clear up the docs on that? I'd be happy to contribute as soon as I understand things myself.

Thanks.
@jeroenheijmans
Copy link
Collaborator

For this library you need an IDS that supports Code Flow with PKCE, preferably without requiring a Client Secret (as that would not make sense for public clients).

Taken from the sample/demo IdentityServer4 instance one way to configure such clients is like this:

new Client
{
    ClientId = "interactive.public",
    ClientName = "Interactive client (Code with PKCE)",

    RedirectUris = { "https://notused" },
    PostLogoutRedirectUris = { "https://notused" },

    RequireClientSecret = false,
    RequireConsent = false,

    AllowedGrantTypes = GrantTypes.Code,
    RequirePkce = true,
    AllowedScopes = { "openid", "profile", "email", "api" },

    AllowOfflineAccess = true,
    RefreshTokenUsage = TokenUsage.ReUse
},
new Client
{
    ClientId = "interactive.public.short",
    ClientName = "Interactive client with short token lifetime (Code with PKCE)",

    RedirectUris = { "https://notused" },
    PostLogoutRedirectUris = { "https://notused" },

    RequireClientSecret = false,
    RequireConsent = false,

    AllowedGrantTypes = GrantTypes.Code,
    RequirePkce = true,
    AllowedScopes = { "openid", "profile", "email", "api" },

    AllowOfflineAccess = true,
    RefreshTokenUsage = TokenUsage.ReUse,
    AccessTokenLifetime = 75
},

Any improvement to the docs is always welcome of course, though describing the actual working of the flows themselves might to a degree be best left to other sources than this client library?

@jeroenheijmans jeroenheijmans changed the title What kind of auth server does one need for code flow? current docs are extremely confusing What kind of auth server does one need for code flow? Jun 8, 2020
@jeroenheijmans
Copy link
Collaborator

Made the title a bit more succinct and moved some info into the original post, hope you don't mind.

@jeroenheijmans jeroenheijmans added the docs Issues that involve improving or adding documentation. label Jun 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs Issues that involve improving or adding documentation.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeroenheijmans @sebastiangug