Don't proxy OAuth Tokens
dshoreman opened this issue · comments
Dave Shoreman commented
In our Auth\LoginController
we proxy from /login
to /oauth/token
so that a global Client ID and Secret can be injected without exposing them on the frontend.
This really needs to be fixed. One potential method would be using Passport's Code Grant with PKCE, but it may be easier to use Sanctum with its cookie-based SPA Authentication instead.