https://www.ory.sh/ logo
#general
Title
# general
s

silly-telephone-79802

11/18/2021, 3:17 PM
Does it make sense to use authorization code flow in a SPA? I mean I could use resource owner password flow for the SPA
l

limited-tent-11422

11/18/2021, 3:31 PM
Resource Owner Password Credentials flow is deprecated as it leaks credentials to the client application.
It is even completely omitted from OAuth 2.1 specification.
m

magnificent-energy-493

11/18/2021, 3:44 PM
Thanks Stepan! We also have a blogpost going a bit into some unsafe OAuth2.0 practices for SPAs and what you can use instead: https://www.ory.sh/oauth2-for-mobile-app-spa-browser/#avoid-the-oauth2-resource-owner-password-credentials-flow
Also check out this more recent tutorial if you want to add sign up and login to a SPA , it will be much less complex than PKCE: https://www.ory.sh/login-spa-react-nextjs-authentication-example-api-open-source/
s

silly-telephone-79802

11/18/2021, 3:55 PM
@magnificent-energy-493 Your next app IS using Resource Owner Password Credentials Flow.
s

steep-lamp-91158

11/18/2021, 4:12 PM
that example is not using OAuth in any way, it uses Kratos and its API flows
I recommend to move this to either #hydra or #kratos, depending on what you actually use
s

silly-telephone-79802

11/18/2021, 4:14 PM
Why doesnt it throw the Error that the Request has Origin header when it is utilizing an API Flow?
s

steep-lamp-91158

11/18/2021, 4:15 PM
Then we will add Ory's Next.js Edge-Integration helpers to our project, which will act as a tunnel to Ory Kratos.
i.e. there is a backend proxy between the SPA and kratos
s

silly-telephone-79802

11/18/2021, 4:16 PM
So it fakes a resource owner password grant?
s

steep-lamp-91158

11/18/2021, 4:16 PM
this has nothing to do with oauth2
it just posts the credentials and gets a session cookie as a response
s

silly-telephone-79802

11/18/2021, 4:18 PM
hmm, and because it uses a session cookie instead of bearer or MAC token it is considered to be not oauth2?
s

steep-lamp-91158

11/18/2021, 4:19 PM
kratos is no oauth2 provider, it only allows first-party login it does NOT use oauth2
👍 1
it has it's own APIs and stuff, not related to oauth2 (which is a standard that dictates all the APIs)
s

silly-telephone-79802

11/18/2021, 4:21 PM
understood
m

miniature-pillow-89683

11/23/2021, 1:17 PM
As others mentioned, resource owner password flow is not a good option and the spec mentions not to go with it unless you really trust the client
2 Views