Example of implicit grant? about oauth2-server HOT 9 CLOSED

Basically, at the point where the example generates an authorization code, I do something like this:

if ($params['response_type'] === 'code') {
    // Generate an authorization code
    [...]
} else if ($params['response_type'] === 'token') {
    $params["grant_type"] = "implicit";
    $response = $server->issueAccessToken($params);
    return Redirect::to(
        League\OAuth2\Server\Util\RedirectUri::make($params['redirect_uri'],
        array(
            "access_token" => $response["access_token"],
            "token_type" => "bearer",
            "state" => isset($params['state']) ? $params['state'] : ''
        ), "#")
    );
}

from oauth2-server.

Also, there doesn't seem to be anything corresponding to getGrantType('authorization_code')->checkAuthoriseParams() for implicit grants. Should we continue calling that, even though it's on the wrong class?

from oauth2-server.

There is an undocumented (and untested) Implicit grant in the library which you can use.

Can I ask why you need the implicit grant? I strongly recommend that you avoid it

from oauth2-server.

That's what I've been using -- I just didn't realize that it was untested.

I'm using it because my client is a JavaScript app, with no server. So there's no place to store a "client secret". My understanding is that implicit grants are the way to go with browser-only apps.

from oauth2-server.

That's correct however please read this if you haven't already https://github.com/php-loep/oauth2-server/wiki/Which-OAuth-2.0-grant-should-I-use%3F#implicit-grant-section-42

from oauth2-server.

Did you get this working @jacobweber? I have not been able to get the Implicit grant to work yet and noticed the same question you posed regarding checkAuthoriseParams(). So naturally, getGrantType('implicit')->checkAuthoriseParams() fails.

from oauth2-server.

Yes, I have it working. I use getGrantType('authorization_code')->checkAuthoriseParams().

from oauth2-server.

@jacobweber, did you have to do anything else? When I leave authorization_code in the that line I get something back, but it's not the expected format for implicit. It sends me to the redirect URL but it's sending me back with an authcode rather than a token.

It also appears to be creating an authcode in the DB rather than a token.

Did you have to add logic to your authorise() function to handle the implicit requests differently?

from oauth2-server.

Cool that's what I figured I was missing. Makes total sense.

Thanks @jacobweber !

from oauth2-server.