Best Flow for SPA [closed]
![Multi tool use Multi tool use](http://sgv.ssvwv.com/sg/ssvwvcomimagb.png)
Multi tool use
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
Should I go with the current supported libraries that only provide Implicit Flow, or write my own code from scratch to handle the Code Flow?
After Doing quite a bit of research on the topic I see various different opinions on what type of flow to use when working with OAuth2.0 (OIDC).. Though recommendation seem to be changing and the support for the new recommendations don't seem to be there. Which path should I follow?
Code Flow without a client secret and PKCE seems to be the current "recommendation".
Implicit Flow seems to be the past recommendation.
After looking around I found that a lot of the Angular libraries written all mainly support only Implicit Flow.
So again the question is use the existing libraries with the old recommended implicit flow, or write our own services to handle the new secret-less code flow with PKCE?
Things to consider for my project:
- In our app once you login for the first time you will have to select an org and based on that get a new token with new scopes.
- We will have a main Launcher app that opens up iFrames with based on the app you select. Each launched app will also have to get new tokens.
- Angular experience is limited but we are willing to put in the work to learn.
- We are on quite tight deadlines.
![](http://i.stack.imgur.com/bpLjl.png)
closed as primarily opinion-based by Paul, R. Richards, cgTag, david, Billal Begueradj Jan 4 at 4:07
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
Should I go with the current supported libraries that only provide Implicit Flow, or write my own code from scratch to handle the Code Flow?
After Doing quite a bit of research on the topic I see various different opinions on what type of flow to use when working with OAuth2.0 (OIDC).. Though recommendation seem to be changing and the support for the new recommendations don't seem to be there. Which path should I follow?
Code Flow without a client secret and PKCE seems to be the current "recommendation".
Implicit Flow seems to be the past recommendation.
After looking around I found that a lot of the Angular libraries written all mainly support only Implicit Flow.
So again the question is use the existing libraries with the old recommended implicit flow, or write our own services to handle the new secret-less code flow with PKCE?
Things to consider for my project:
- In our app once you login for the first time you will have to select an org and based on that get a new token with new scopes.
- We will have a main Launcher app that opens up iFrames with based on the app you select. Each launched app will also have to get new tokens.
- Angular experience is limited but we are willing to put in the work to learn.
- We are on quite tight deadlines.
![](http://i.stack.imgur.com/bpLjl.png)
closed as primarily opinion-based by Paul, R. Richards, cgTag, david, Billal Begueradj Jan 4 at 4:07
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
Should I go with the current supported libraries that only provide Implicit Flow, or write my own code from scratch to handle the Code Flow?
After Doing quite a bit of research on the topic I see various different opinions on what type of flow to use when working with OAuth2.0 (OIDC).. Though recommendation seem to be changing and the support for the new recommendations don't seem to be there. Which path should I follow?
Code Flow without a client secret and PKCE seems to be the current "recommendation".
Implicit Flow seems to be the past recommendation.
After looking around I found that a lot of the Angular libraries written all mainly support only Implicit Flow.
So again the question is use the existing libraries with the old recommended implicit flow, or write our own services to handle the new secret-less code flow with PKCE?
Things to consider for my project:
- In our app once you login for the first time you will have to select an org and based on that get a new token with new scopes.
- We will have a main Launcher app that opens up iFrames with based on the app you select. Each launched app will also have to get new tokens.
- Angular experience is limited but we are willing to put in the work to learn.
- We are on quite tight deadlines.
![](http://i.stack.imgur.com/bpLjl.png)
Should I go with the current supported libraries that only provide Implicit Flow, or write my own code from scratch to handle the Code Flow?
After Doing quite a bit of research on the topic I see various different opinions on what type of flow to use when working with OAuth2.0 (OIDC).. Though recommendation seem to be changing and the support for the new recommendations don't seem to be there. Which path should I follow?
Code Flow without a client secret and PKCE seems to be the current "recommendation".
Implicit Flow seems to be the past recommendation.
After looking around I found that a lot of the Angular libraries written all mainly support only Implicit Flow.
So again the question is use the existing libraries with the old recommended implicit flow, or write our own services to handle the new secret-less code flow with PKCE?
Things to consider for my project:
- In our app once you login for the first time you will have to select an org and based on that get a new token with new scopes.
- We will have a main Launcher app that opens up iFrames with based on the app you select. Each launched app will also have to get new tokens.
- Angular experience is limited but we are willing to put in the work to learn.
- We are on quite tight deadlines.
![](http://i.stack.imgur.com/bpLjl.png)
![](http://i.stack.imgur.com/bpLjl.png)
asked Jan 3 at 21:26
JoellyRJoellyR
5719
5719
closed as primarily opinion-based by Paul, R. Richards, cgTag, david, Billal Begueradj Jan 4 at 4:07
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
closed as primarily opinion-based by Paul, R. Richards, cgTag, david, Billal Begueradj Jan 4 at 4:07
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Current recommendation is to use Authorization code flow with PKCE. When OpenID Connect/OAuth 2.0 first came out, implicit flow was recommended for SPA. But this has changed due to security concerns. Soon there will be amendments for these specification to highlight the suggestion.
I would recommend to use AppAuth-JS as a library. It provide authorization code flow support with PKCE. It is an official Openid foundation library.
Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?
– JoellyR
Jan 4 at 23:00
@JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though
– Kavindu Dodanduwa
Jan 6 at 3:39
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Current recommendation is to use Authorization code flow with PKCE. When OpenID Connect/OAuth 2.0 first came out, implicit flow was recommended for SPA. But this has changed due to security concerns. Soon there will be amendments for these specification to highlight the suggestion.
I would recommend to use AppAuth-JS as a library. It provide authorization code flow support with PKCE. It is an official Openid foundation library.
Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?
– JoellyR
Jan 4 at 23:00
@JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though
– Kavindu Dodanduwa
Jan 6 at 3:39
add a comment |
Current recommendation is to use Authorization code flow with PKCE. When OpenID Connect/OAuth 2.0 first came out, implicit flow was recommended for SPA. But this has changed due to security concerns. Soon there will be amendments for these specification to highlight the suggestion.
I would recommend to use AppAuth-JS as a library. It provide authorization code flow support with PKCE. It is an official Openid foundation library.
Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?
– JoellyR
Jan 4 at 23:00
@JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though
– Kavindu Dodanduwa
Jan 6 at 3:39
add a comment |
Current recommendation is to use Authorization code flow with PKCE. When OpenID Connect/OAuth 2.0 first came out, implicit flow was recommended for SPA. But this has changed due to security concerns. Soon there will be amendments for these specification to highlight the suggestion.
I would recommend to use AppAuth-JS as a library. It provide authorization code flow support with PKCE. It is an official Openid foundation library.
Current recommendation is to use Authorization code flow with PKCE. When OpenID Connect/OAuth 2.0 first came out, implicit flow was recommended for SPA. But this has changed due to security concerns. Soon there will be amendments for these specification to highlight the suggestion.
I would recommend to use AppAuth-JS as a library. It provide authorization code flow support with PKCE. It is an official Openid foundation library.
answered Jan 4 at 2:02
![](https://i.stack.imgur.com/4oCKc.jpg?s=32&g=1)
![](https://i.stack.imgur.com/4oCKc.jpg?s=32&g=1)
Kavindu DodanduwaKavindu Dodanduwa
6,55621735
6,55621735
Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?
– JoellyR
Jan 4 at 23:00
@JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though
– Kavindu Dodanduwa
Jan 6 at 3:39
add a comment |
Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?
– JoellyR
Jan 4 at 23:00
@JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though
– Kavindu Dodanduwa
Jan 6 at 3:39
Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?
– JoellyR
Jan 4 at 23:00
Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?
– JoellyR
Jan 4 at 23:00
@JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though
– Kavindu Dodanduwa
Jan 6 at 3:39
@JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though
– Kavindu Dodanduwa
Jan 6 at 3:39
add a comment |
OJYc L4nOJu,5vU2jH o,Ouc5JyEGJ nINUc5V7IaegrHidEmkHKpZv2 ALosP