search

ronvanderheijden / openid-connect

Adds the OpenID Connect identity layer to the PHP League's OAuth2 Server. With Laravel Passport support.
MIT License
41 stars 13 forks source link

Implict flow not supported #12

Closed georgeboot closed 1 year ago

georgeboot commented 1 year ago

Issue previously raised in https://github.com/thephpleague/oauth2-server/issues/1374

When I use the authorisation code grant, this works as expected.

However, when I try to do an implict flow by setting response_type=token id_token or response_type=id_token, the server always rejects the request because the following check does not match the request: https://github.com/thephpleague/oauth2-server/blob/ab7714d073844497fd222d5d0a217629089936bc/src/Grant/ImplicitGrant.php#L105-L109

Are there any recommended ways to bypass this issue?

I am using Laravel Passport.

ronvanderheijden commented 1 year ago

It is not recommended to use the implicit flow (and some servers prohibit this flow entirely) due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.

In other words, the Implicit Flow is Legacy and not supported.