rayluo
commented
4 years ago In your appconfigb2c.py, it looks like you're using the /getatoken redirection url. Does this imply authorization code flow?
We did not "imply" it. In this sample repo, we ARE using authorization code flow. :-) For what it's worth, most SPAs are practically implemented in javascript, running inside a browser. Python scripts are not in this camp. This sample repo is no exception. We implement a web app, based on authorization code flow.
I'm seeing that Microsoft recommends implicit flow for SPAs due to CORS being unsupported ...
Would you mind share some links or docs about that? You can also reach me offline by email.
Also, the industry (and Okta) recommend now using authorization code flow for SPAs. Two questions:
Can we use auth code for SPAs?
Is this recommend?
I found these from some industry papers, although they are technically still a draft:
The implicit grant (response type "token") and other response types
causing the authorization server to issue access tokens in the
authorization response are vulnerable to access token leakage and
access token replay ...
Clients SHOULD instead use the response type "code" (aka
authorization code grant type) as specified in Section 3.1.1 or any
other response type that causes the authorization server to issue
access tokens in the token response. This allows the authorization
server to detect replay attempts and generally reduces the attack
surface since access tokens are not exposed in URLs.Quoted from https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.1.2
navyasric
In your appconfigb2c.py, it looks like you're using the /getatoken redirection url. Does this imply authorization code flow? I'm seeing that Microsoft recommends implicit flow for SPAs due to CORS being unsupported but it doesn't look like you're using that flow. Also, the industry (and Okta) recommend now using authorization code flow for SPAs. Two questions: