When using response_type: AuthorizationRequest.RESPONSE_TYPE_TOKEN for implicit flow, the authorization notifier should be invoked with complete response containing the tokens, not just the cherry-picked code and state which are relevant only to authorization code flow.
Describe the problem
The current behaviour assumes that the response payload is for AuthorizationRequest.RESPONSE_TYPE_CODE, and only returns the properties expected for an authorization code flow. When using implicit flow and a successful authorization occurs, the tokens are not sent to the authorization notifier.
AuthorizationResponse also lacks the required properties and appears to only support RESPONSE_TYPE_CODE, despite the requests support for RESPONSE_TYPE_TOKEN.
RESPONSE_TYPE_TOKEN is effectively ignored, despite this being an option and configurable value in AuthorizationRequest.
[REQUIRED] Steps to reproduce the behavior
Following the same code example as the example in the README with the following differences.
Perform an implicit authorization flow with response_type: AuthorizationRequest.RESPONSE_TYPE_TOKEN
Observe the response in the authorization notifier that the tokens are not included in AuthorizationResponse
[REQUIRED] Environment
AppAuth-JS version: 1.3.1
AppAuth-JS Environment (Node, Browser (UserAgent), ...): Google Chrome, Vue.JS PWA
Expected Behavior
When using
response_type: AuthorizationRequest.RESPONSE_TYPE_TOKEN
for implicit flow, the authorization notifier should be invoked with complete response containing the tokens, not just the cherry-pickedcode
andstate
which are relevant only to authorization code flow.Describe the problem
The current behaviour assumes that the response payload is for
AuthorizationRequest.RESPONSE_TYPE_CODE
, and only returns the properties expected for an authorization code flow. When using implicit flow and a successful authorization occurs, the tokens are not sent to the authorization notifier.AuthorizationResponse also lacks the required properties and appears to only support RESPONSE_TYPE_CODE, despite the requests support for RESPONSE_TYPE_TOKEN.
RESPONSE_TYPE_TOKEN is effectively ignored, despite this being an option and configurable value in AuthorizationRequest.
[REQUIRED] Steps to reproduce the behavior
Following the same code example as the example in the README with the following differences.
response_type: AuthorizationRequest.RESPONSE_TYPE_TOKEN
AuthorizationResponse
[REQUIRED] Environment