search

thephpleague / oauth2-server

A spec compliant, secure by default PHP OAuth 2.0 Server
https://oauth2.thephpleague.com
MIT License
6.52k stars 1.12k forks source link

Implict grant for OIDC not supported #1374

Closed georgeboot closed 1 year ago

georgeboot commented 1 year ago

I know OIDC is not formally supported by this package.

We are however implementing an OIDC server using this package (with the help of https://github.com/jeremy379/laravel-openid-connect).

When I use the authorisation code grant, this works as expected.

However, when I try to do an implict grant (or implict flow as OIDC calles it) by setting response_type=token id_token, the server always rejects the request because the following check does not match the request: https://github.com/thephpleague/oauth2-server/blob/ab7714d073844497fd222d5d0a217629089936bc/src/Grant/ImplicitGrant.php#L105-L109

In this done on purpose? Should this check not rather be a contains check? I am happy to submit a PR if this is the case.

If not, are there any ways for me to get my setup working?

Sephster commented 1 year ago

I think this is on purpose as we don't have the concept of an id_token for the implicit grant in oauth 2. I'd be hesitant to change this until we have time to implement oicd.

Have you raised an issue with the downstream package? Might be better for them to tackle it at this time