search

JamesRandall / AngularJS-OAuth2

Package for allowing an AngularJS application to authenticate with an OAuth 2 / Open ID Connect identity provider using the implicit flow.
MIT License
46 stars 42 forks source link

Nonce is forced #22

Closed anestos closed 8 years ago

anestos commented 8 years ago

Hi, it seems that the nonce parameter of the request url is always there. Google doesn't accept requests with that parameter. A quick fix would be to add the nonce only if it is provided like in the original oauth-ng plugin:

function init(){ 
...
       if (scope.nonce != undefined){
              scope.nonce = scope.nonce || generateState();
       }
...

service.init = function(params) {
...
       if (params.nonce){
              service.url += '&' + 'nonce=' + encodeURIComponent(params.nonce)
       }
...
JamesRandall commented 8 years ago

I've updated this but to maintain backwards compatibility I've done it in a slightly different way - you can disable the auto generation of the nonce by setting the auto-generate-nonce attribute to false:

<oauth2 .... auto-generate-nonce="false" ...>

It's not as clean as the above but if I use the lack of a nonce to trigger it then it breaks existing clients where the server is expecting a nonce.

I may revisit on v2.0.0.

The update is in v1.0.3