Consider dropping support for OAuth2 Implicit flow #244
Comments
|
@pradtke Can you please check your access logs if anyone actually used this? I couldn't find any... |
|
I don't quite understand. Are you asking if we have any implicit flow usage, or if we have implicit flow usage that only requests |
|
I was only interested in response_type=token (OAuth2 implicit flow). I'm not interested in OIDC implicit flow, I won't touch that. So, there is no such cases, which is quite reasonable. I will probably go ahead and drop support for that when I get the chance... |
|
Ah, right I understand now. My brain autocorrected OAuth2 to OIDC :) |
In the codebase we have OAuth2 Implicit Grant (src/Server/Grants/OAuth2ImplicitGrant.php), which is triggered by 'response_type' = 'token' param request on authorization endpoint.
This is not OIDC standard flow and there is low probability that anyone ever used it. It also brings some code branching which could be avoided if this flow can be dropped.
The text was updated successfully, but these errors were encountered: