2

Authorization Code grant flow is recommended even for public client applications like Angular in up-coming OAuth 2.1.

But Angular apps are usually SPA, which means there isn't a built-in server side to store client_secret.

Library 'angular-oauth2-oidc' claims to support code grant flow, but I could not find any open sourced solution available.

Tried Vouch Proxy but it sets cookie ,which containing access_token and id_token, but that cookie would not be recognized by angualr-oauth2-oidc. code flow in angualr-oauth2-oidc is implemented as a xhr request to https://{your-authentication-server}/token.oauth2 so those two doesn't match up.

Any ideas, corrections or workarounds are greatly appreciated.

James Sun
  • 111
  • 1
  • 7

1 Answers1

1

Your question is not clear enough, I'll try to answer -- correct me please if you looked for anything different.

As it was mentioned on the main page of the project

Since Version 8, this library supports code flow and PKCE to align with the current draft of the OAuth 2.0 Security Best Current Practice document. This is also the foundation of the upcoming OAuth 2.1.

PKCE is a kind of replacement for client_secret originally designed for mobile apps, but eventually shared with SPAs. It relies on redirect_uri to ensure your browser is running pre-registered app, and then uses code verifier to bound the following token requests to the original challenge.

For those who come from the dotnet world, the most organic open source STS to work with is Identity Server. For those who come from Java world, more intuitive might be Keycloak. The official documentation illustrates communication with the first, but you can find the links to several tutorials at the same page below.

d_f
  • 4,599
  • 2
  • 23
  • 34
  • 1
    PKCE is in no way a replacement of the client_secret. OAuth2 defines two types of client: confidential (that can safely store a client_secret) and public (that cannot safely store a client_secret). Basically, you can use angular-oauth2-oidc with the code flow without specifying a client_secret. You just have to be sure that you registered your app in your authentication provider as a public client. PKCE is just an additional security layer used to prevent man in the middle attacks. – ssougnez Jul 26 '20 at 17:15
  • I know the theory - setting up and customising authentication is my everydays job. With the answer as it is I just wanted to explain the OP the simplest way to go in the simplest words. It is possible to turn PKCE off, but it's not recommended and it's on by default both client and server side – d_f Jul 27 '20 at 21:40
  • I'm sure you know what you're talking about. Just saying that PKCE is definitely not a kind of replacement of client_secret. These are two totally different things... – ssougnez Jul 27 '20 at 21:42
  • They work absolutely differently. They work both for reaching the same goal: make sure the sign in action user performs on idp's web page is bound to the particular app's context. For me that's enough to say these are definitely **not** so different things _from the end user perspective_. – d_f Jul 29 '20 at 21:01