Giters

openid / AppAuth-JS

JavaScript client SDK for communicating with OAuth 2.0 and OpenID Connect providers.

Repository from Github https://github.comopenid/AppAuth-JSRepository from Github https://github.comopenid/AppAuth-JS

AuthorizationResponse does not support Implicit flow for RESPONSE_TYPE_TOKEN

SeanLMcCullough opened this issue · comments

commented

Expected Behavior

When using response_type: AuthorizationRequest.RESPONSE_TYPE_TOKEN for implicit flow, the authorization notifier should be invoked with complete response containing the tokens, not just the cherry-picked code and state which are relevant only to authorization code flow.

Describe the problem

The current behaviour assumes that the response payload is for AuthorizationRequest.RESPONSE_TYPE_CODE, and only returns the properties expected for an authorization code flow. When using implicit flow and a successful authorization occurs, the tokens are not sent to the authorization notifier.

AuthorizationResponse also lacks the required properties and appears to only support RESPONSE_TYPE_CODE, despite the requests support for RESPONSE_TYPE_TOKEN.

RESPONSE_TYPE_TOKEN is effectively ignored, despite this being an option and configurable value in AuthorizationRequest.

[REQUIRED] Steps to reproduce the behavior

Following the same code example as the example in the README with the following differences.

  1. Perform an implicit authorization flow with response_type: AuthorizationRequest.RESPONSE_TYPE_TOKEN
  2. Observe the response in the authorization notifier that the tokens are not included in AuthorizationResponse

[REQUIRED] Environment

  • AppAuth-JS version: 1.3.1
  • AppAuth-JS Environment (Node, Browser (UserAgent), ...): Google Chrome, Vue.JS PWA
  • Source code snippts (inline or JSBin)
this.authorizationRequest = new AuthorizationRequest({
  client_id: '~~redacted~~',
  redirect_uri: '~~redacted~~',
  scope: 'openid profile email phone',
  response_type: AuthorizationRequest.RESPONSE_TYPE_TOKEN,
  state: undefined,
  extras: {}
})