#general
Title
s
silly-telephone-79802
11/18/2021, 3:17 PMDoes it make sense to use authorization code flow in a SPA? I mean I could use resource owner password flow for the SPA
l
limited-tent-11422
11/18/2021, 3:31 PMResource Owner Password Credentials flow is deprecated as it leaks credentials to the client application.
It is even completely omitted from OAuth 2.1 specification.
m
magnificent-energy-493
11/18/2021, 3:44 PM
Thanks Stepan!
We also have a blogpost going a bit into some unsafe OAuth2.0 practices for SPAs and what you can use instead:
https://www.ory.sh/oauth2-for-mobile-app-spa-browser/#avoid-the-oauth2-resource-owner-password-credentials-flow
Also check out this more recent tutorial if you want to add sign up and login to a SPA , it will be much less complex than PKCE:
https://www.ory.sh/login-spa-react-nextjs-authentication-example-api-open-source/
s
silly-telephone-79802
11/18/2021, 3:55 PM@magnificent-energy-493 Your next app IS using Resource Owner Password Credentials Flow.
s
steep-lamp-91158
11/18/2021, 4:12 PM
that example is not using OAuth in any way, it uses Kratos and its API flows
I recommend to move this to either #hydra or #kratos, depending on what you actually use
s
silly-telephone-79802
11/18/2021, 4:14 PMWhy doesnt it throw the Error that the Request has Origin header when it is utilizing an API Flow?
s
steep-lamp-91158
11/18/2021, 4:15 PM
Then we will add Ory's Next.js Edge-Integration helpers to our project, which will act as a tunnel to Ory Kratos.
i.e. there is a backend proxy between the SPA and kratos
s
silly-telephone-79802
11/18/2021, 4:16 PMSo it fakes a resource owner password grant?
s
steep-lamp-91158
11/18/2021, 4:16 PM
this has nothing to do with oauth2
it just posts the credentials and gets a session cookie as a response
s
silly-telephone-79802
11/18/2021, 4:18 PMhmm, and because it uses a session cookie instead of bearer or MAC token it is considered to be not oauth2?
s
steep-lamp-91158
11/18/2021, 4:19 PM
kratos is no oauth2 provider, it only allows first-party login
it does NOT use oauth2
👍 1
it has it's own APIs and stuff, not related to oauth2 (which is a standard that dictates all the APIs)
s
silly-telephone-79802
11/18/2021, 4:21 PMunderstood
m
miniature-pillow-89683
11/23/2021, 1:17 PMAs others mentioned, resource owner password flow is not a good option and the spec mentions not to go with it unless you really trust the client
2 Views