0

I'm trying to set up Pac4j in my back end (BE) application and in order to configure my Angular front end (FE), I need to understand the workflow that it expects in order to configure the back end properly.

I've been reading reams of documentation and trawling through Pac4j source to find how I get the token from the code without exposing the client secret.

So...

  1. I try to log in FE->BE (without auth)
  2. I receive a 401
  3. I take the 'Location' (the Google auth uri) from the 401 and redirect to it, providing a callback uri
  4. I log in to Google
  5. I am redirected back to my callback uri with a code
  6. (What request do I make to BE in order to get a token back? i.e. where is the token URI that doesn't require a client_secret)
  7. I use the retrieved token to access and continue as normal using BE
Ross Drew
  • 8,163
  • 2
  • 41
  • 53
  • 1
    Do you need a Pac4j specific solution (I don't know the library) or a general OAuth 2 answer? – Ján Halaša Jan 22 '19 at 14:30
  • It's in the tags, pac4j-oidc :) – Ross Drew Jan 22 '19 at 14:35
  • OK, anyway, you need to call the [token endpoint](https://tools.ietf.org/html/rfc6749#section-4.1.3). – Ján Halaša Jan 22 '19 at 14:38
  • That's plain OAuth and not OIDC though. If it still applies, what is the token endpoint? I can't refer to Googles token endpoint as that requires the `client_secret` and there is no token endpoint as far as I can see served by Pac4j. There is a callback endpoint which I define but I don't know it @JánHalaša – Ross Drew Jan 22 '19 at 15:16

1 Answers1

1

If you don't want to use client_secret, then you need public client. I'm not sure if public client is supported by Google.

IMHO better approach will be implicit flow in the FE. It will generate access token, which will be used for BE api calls.

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
  • But my client is private, right? The back end. The Angular UI is just the User Agent in the equation. Am I misunderstanding it? – Ross Drew Jan 22 '19 at 22:32
  • Yes, Google offers only client with client secret (as I know) = private client. Angular is FE/SPA app = implicit flow typically. – Jan Garaj Jan 22 '19 at 23:50
  • Is that specific to Google? i.e. have I just made this public UA, private Client flow up or is it just Google that doesn't do it? Thanks btw – Ross Drew Jan 23 '19 at 10:06