Reputation: 475
OpenID connect implicit flow response
Between the Authorization Request (3.1.2.1) and the Authentication Response (3.1.2.5) the authorization server is responsible for validating the request, authenticating the user, and get user-consent before sending the response.
http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
How is that supposed to work in a SPA application?
If I issue an ajax request the authorization server can't authenticate the user (I don't see how since there's no cookie, http-header or url fragment telling the Authorization Server who the user is). If I redirect the user to the authentication endpoint my SPA is unloaded. Since I don't have a server redirect_uri (which I've understood is the whole point of the implicit flow?) the endpoint can never reach my SPA again.
Obviously I'm missing something. How is the authentication and user-authorization chrome supposed to be shown to the user in the implicit flow?
Upvotes: 2
Views: 656
Answers (1)
Reputation: 54078
OAuth 2.0/OpenID Connect separate the authentication from the application. You would redirect unauthenticated clients/users away from your application before anything is loaded and only handle the authorization response in the SPA. Your redirect URI would point to the SPA. In any case, you would not handle the OAuth 2.0/OpenID Connect dance in Ajax but in a full browser.
Upvotes: 1
Related Questions
- OIDC : url differences in code flow and implicit flow
- OIDC Authorization Code flow /token response
- OIDC response_mode= form_post
- OpenID Connect Hybrid flow for authentication only
- OpenId Connect Implicit flow, how to maintain session
- OpenID Connect with embedded resources
- OpenID Connect implicit flow: Respond using a redirect?
- OpenID Connect and Server Side Authorization Code Flow
- OpenID Connect Implicit Flow - Resource Server
- OpenId Connect Implicit Flow with Resource Owner Password Credentials Grant