search

openid / AppAuth-JS

JavaScript client SDK for communicating with OAuth 2.0 and OpenID Connect providers.
Apache License 2.0
985 stars 161 forks source link

Support for http basic authentication #24

Closed raffis closed 3 years ago

raffis commented 7 years ago

https://tools.ietf.org/html/rfc6749#section-2.3

Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).

How the credentials are submitted to the authorization server must be configurable, probably according to the specs from openid (http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) whereas basic authentication should be the default if client credentials given.

This is related to both the token endpoint and the revocation endpoint proposed in https://github.com/openid/AppAuth-JS/pull/19.

tikurahul commented 7 years ago

We could follow something along the lines of this: https://github.com/openid/AppAuth-android#utilizing-client-secrets-dangerous.

tikurahul commented 3 years ago

We don't want to support flows that involve entering credentials for every Auth request.