ctrix
commented
7 years ago +1 for this.
Open ProbablePrime opened 7 years ago
ctrix
commented
7 years ago +1 for this.
svrooij
commented
7 years ago The code grant might not be implemented by design!
The code grant requires the client to be able to keep the secret SECRET, hence the name. A client-side application cannot keep this secret a secret. The code grant flow is designed for server-side applications, like a PHP application.
PostImpatica
commented
7 years ago @svrooij @ProbablePrime Actually the new recommendation for SPA's is that you use the Authorization Code grant type but leave off the last step of requesting a token with the secret. See this article: OAuth2 Simplified
The OAuth 2 Authorization Code Grant appears to not be implemented?
Is this on the roadmap?
Spec: https://tools.ietf.org/html/rfc6749#section-4.1