Best Flow for SPA [closed]

Multi tool use
Multi tool use





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







1















Should I go with the current supported libraries that only provide Implicit Flow, or write my own code from scratch to handle the Code Flow?



After Doing quite a bit of research on the topic I see various different opinions on what type of flow to use when working with OAuth2.0 (OIDC).. Though recommendation seem to be changing and the support for the new recommendations don't seem to be there. Which path should I follow?




  1. Code Flow without a client secret and PKCE seems to be the current "recommendation".


  2. Implicit Flow seems to be the past recommendation.



After looking around I found that a lot of the Angular libraries written all mainly support only Implicit Flow.



So again the question is use the existing libraries with the old recommended implicit flow, or write our own services to handle the new secret-less code flow with PKCE?



Things to consider for my project:




  1. In our app once you login for the first time you will have to select an org and based on that get a new token with new scopes.

  2. We will have a main Launcher app that opens up iFrames with based on the app you select. Each launched app will also have to get new tokens.

  3. Angular experience is limited but we are willing to put in the work to learn.

  4. We are on quite tight deadlines.










share|improve this question













closed as primarily opinion-based by Paul, R. Richards, cgTag, david, Billal Begueradj Jan 4 at 4:07


Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.

























    1















    Should I go with the current supported libraries that only provide Implicit Flow, or write my own code from scratch to handle the Code Flow?



    After Doing quite a bit of research on the topic I see various different opinions on what type of flow to use when working with OAuth2.0 (OIDC).. Though recommendation seem to be changing and the support for the new recommendations don't seem to be there. Which path should I follow?




    1. Code Flow without a client secret and PKCE seems to be the current "recommendation".


    2. Implicit Flow seems to be the past recommendation.



    After looking around I found that a lot of the Angular libraries written all mainly support only Implicit Flow.



    So again the question is use the existing libraries with the old recommended implicit flow, or write our own services to handle the new secret-less code flow with PKCE?



    Things to consider for my project:




    1. In our app once you login for the first time you will have to select an org and based on that get a new token with new scopes.

    2. We will have a main Launcher app that opens up iFrames with based on the app you select. Each launched app will also have to get new tokens.

    3. Angular experience is limited but we are willing to put in the work to learn.

    4. We are on quite tight deadlines.










    share|improve this question













    closed as primarily opinion-based by Paul, R. Richards, cgTag, david, Billal Begueradj Jan 4 at 4:07


    Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.





















      1












      1








      1








      Should I go with the current supported libraries that only provide Implicit Flow, or write my own code from scratch to handle the Code Flow?



      After Doing quite a bit of research on the topic I see various different opinions on what type of flow to use when working with OAuth2.0 (OIDC).. Though recommendation seem to be changing and the support for the new recommendations don't seem to be there. Which path should I follow?




      1. Code Flow without a client secret and PKCE seems to be the current "recommendation".


      2. Implicit Flow seems to be the past recommendation.



      After looking around I found that a lot of the Angular libraries written all mainly support only Implicit Flow.



      So again the question is use the existing libraries with the old recommended implicit flow, or write our own services to handle the new secret-less code flow with PKCE?



      Things to consider for my project:




      1. In our app once you login for the first time you will have to select an org and based on that get a new token with new scopes.

      2. We will have a main Launcher app that opens up iFrames with based on the app you select. Each launched app will also have to get new tokens.

      3. Angular experience is limited but we are willing to put in the work to learn.

      4. We are on quite tight deadlines.










      share|improve this question














      Should I go with the current supported libraries that only provide Implicit Flow, or write my own code from scratch to handle the Code Flow?



      After Doing quite a bit of research on the topic I see various different opinions on what type of flow to use when working with OAuth2.0 (OIDC).. Though recommendation seem to be changing and the support for the new recommendations don't seem to be there. Which path should I follow?




      1. Code Flow without a client secret and PKCE seems to be the current "recommendation".


      2. Implicit Flow seems to be the past recommendation.



      After looking around I found that a lot of the Angular libraries written all mainly support only Implicit Flow.



      So again the question is use the existing libraries with the old recommended implicit flow, or write our own services to handle the new secret-less code flow with PKCE?



      Things to consider for my project:




      1. In our app once you login for the first time you will have to select an org and based on that get a new token with new scopes.

      2. We will have a main Launcher app that opens up iFrames with based on the app you select. Each launched app will also have to get new tokens.

      3. Angular experience is limited but we are willing to put in the work to learn.

      4. We are on quite tight deadlines.







      angular oauth-2.0 single-page-application oidc






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 3 at 21:26









      JoellyRJoellyR

      5719




      5719




      closed as primarily opinion-based by Paul, R. Richards, cgTag, david, Billal Begueradj Jan 4 at 4:07


      Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.









      closed as primarily opinion-based by Paul, R. Richards, cgTag, david, Billal Begueradj Jan 4 at 4:07


      Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.


























          1 Answer
          1






          active

          oldest

          votes


















          0














          Current recommendation is to use Authorization code flow with PKCE. When OpenID Connect/OAuth 2.0 first came out, implicit flow was recommended for SPA. But this has changed due to security concerns. Soon there will be amendments for these specification to highlight the suggestion.



          I would recommend to use AppAuth-JS as a library. It provide authorization code flow support with PKCE. It is an official Openid foundation library.






          share|improve this answer
























          • Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?

            – JoellyR
            Jan 4 at 23:00











          • @JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though

            – Kavindu Dodanduwa
            Jan 6 at 3:39


















          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Current recommendation is to use Authorization code flow with PKCE. When OpenID Connect/OAuth 2.0 first came out, implicit flow was recommended for SPA. But this has changed due to security concerns. Soon there will be amendments for these specification to highlight the suggestion.



          I would recommend to use AppAuth-JS as a library. It provide authorization code flow support with PKCE. It is an official Openid foundation library.






          share|improve this answer
























          • Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?

            – JoellyR
            Jan 4 at 23:00











          • @JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though

            – Kavindu Dodanduwa
            Jan 6 at 3:39
















          0














          Current recommendation is to use Authorization code flow with PKCE. When OpenID Connect/OAuth 2.0 first came out, implicit flow was recommended for SPA. But this has changed due to security concerns. Soon there will be amendments for these specification to highlight the suggestion.



          I would recommend to use AppAuth-JS as a library. It provide authorization code flow support with PKCE. It is an official Openid foundation library.






          share|improve this answer
























          • Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?

            – JoellyR
            Jan 4 at 23:00











          • @JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though

            – Kavindu Dodanduwa
            Jan 6 at 3:39














          0












          0








          0







          Current recommendation is to use Authorization code flow with PKCE. When OpenID Connect/OAuth 2.0 first came out, implicit flow was recommended for SPA. But this has changed due to security concerns. Soon there will be amendments for these specification to highlight the suggestion.



          I would recommend to use AppAuth-JS as a library. It provide authorization code flow support with PKCE. It is an official Openid foundation library.






          share|improve this answer













          Current recommendation is to use Authorization code flow with PKCE. When OpenID Connect/OAuth 2.0 first came out, implicit flow was recommended for SPA. But this has changed due to security concerns. Soon there will be amendments for these specification to highlight the suggestion.



          I would recommend to use AppAuth-JS as a library. It provide authorization code flow support with PKCE. It is an official Openid foundation library.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 4 at 2:02









          Kavindu DodanduwaKavindu Dodanduwa

          6,55621735




          6,55621735













          • Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?

            – JoellyR
            Jan 4 at 23:00











          • @JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though

            – Kavindu Dodanduwa
            Jan 6 at 3:39



















          • Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?

            – JoellyR
            Jan 4 at 23:00











          • @JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though

            – Kavindu Dodanduwa
            Jan 6 at 3:39

















          Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?

          – JoellyR
          Jan 4 at 23:00





          Thanks for ur answer... I am currently trying to use the library in an angular app.. it proves to be quite the hassle because of the lack of documentation... Do you have any experience in working with AppAuth with Angular by any chance?

          – JoellyR
          Jan 4 at 23:00













          @JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though

          – Kavindu Dodanduwa
          Jan 6 at 3:39





          @JoellyR well, I guess you have to rely on GitHub documentation of AppAuth-JS. Also, have a look at their sample app. I am not coming from a JS background though

          – Kavindu Dodanduwa
          Jan 6 at 3:39





          OJYc L4nOJu,5vU2jH o,Ouc5JyEGJ nINUc5V7IaegrHidEmkHKpZv2 ALosP
          ufR,rK,OsEC2P4EA tsG,QZWW45Ee MgQM20DUxIni2Eye0N 2N7YH,U X0UXiW

          Popular posts from this blog

          Monofisismo

          Angular Downloading a file using contenturl with Basic Authentication

          Olmecas