https://www.ory.sh/ logo
Join Slack
Powered by
This message was deleted.
# general
m
This message was deleted.
l
Resource Owner Password Credentials flow is deprecated as it leaks credentials to the client application.
It is even completely omitted from OAuth 2.1 specification.
m
Thanks Stepan! We also have a blogpost going a bit into some unsafe OAuth2.0 practices for SPAs and what you can use instead: https://www.ory.sh/oauth2-for-mobile-app-spa-browser/#avoid-the-oauth2-resource-owner-password-credentials-flow
Also check out this more recent tutorial if you want to add sign up and login to a SPA , it will be much less complex than PKCE: https://www.ory.sh/login-spa-react-nextjs-authentication-example-api-open-source/
s
@magnificent-energy-493 Your next app IS using Resource Owner Password Credentials Flow.
s
that example is not using OAuth in any way, it uses Kratos and its API flows
I recommend to move this to either #C012RBW0F18 or #C012RJ2MQ1H, depending on what you actually use
s
Why doesnt it throw the Error that the Request has Origin header when it is utilizing an API Flow?
s
Then we will add Ory's Next.js Edge-Integration helpers to our project, which will act as a tunnel to Ory Kratos.
i.e. there is a backend proxy between the SPA and kratos
s
So it fakes a resource owner password grant?
s
this has nothing to do with oauth2
it just posts the credentials and gets a session cookie as a response
s
hmm, and because it uses a session cookie instead of bearer or MAC token it is considered to be not oauth2?
s
kratos is no oauth2 provider, it only allows first-party login it does NOT use oauth2
👍 1
it has it's own APIs and stuff, not related to oauth2 (which is a standard that dictates all the APIs)
s
understood
m
As others mentioned, resource owner password flow is not a good option and the spec mentions not to go with it unless you really trust the client
3 Views
Open in Slack
PreviousNext
Powered by