Comments (6)
soofstad
commented on August 20, 2024
2
Hi @videate-miguel
I'm not opposed to allowing for extra headers in general, but the example you give is exactly why I'm not sure it's a good idea. Sending a custom authorization header using basic auth to get the token is exactly the problem OAauth2, and the code flow in particular, is intended to solve.
So I'm afraid adding this feature might lead to unsafe usage of the library, and until I find some solid arguments why it would be needed, I don't think we should add it.
Do you have some documentation on why you need this header for the token endpoint?
What kind of authentication server are you using?
A usual workaround for ID-providers not following the OAuth2 spec, is to deploy a small custom auth API, that can add client-secrets etc. to the request before forwarding to the IDP.
from react-oauth2-pkce.
soofstad
commented on August 20, 2024
1
All right, I don't like this. But since all the defaults are secure, the library should not limit anyone in doing custom/unsafe stuff if they know what they are doing.
Will make a pull-request when I get some time. Shouldn't be too long
from react-oauth2-pkce.
videate-miguel
commented on August 20, 2024
Hi there 👋
I am encountering a challenge in integrating with a client's custom OAuth implementation. While their approach largely adheres to the specifications, a specific token request is failing due to an additional header they have included.
I value your library and intended to adopt it as a replacement for our current solution. However, the current inflexibility of the library prevents it from accommodating this exceptional scenario. As I lack the authority to influence or command our clients to strictly follow the specifications, I am constrained to either seek an alternative library or manually handle these requests, I have to adapt to what my clients have otherwise it could result in not getting a deal 😅.
I understand the importance of maintaining adherence to the specifications, but I kindly request that the library be enhanced to provide greater flexibility in handling such rare cases. This would enable us to continue utilizing your valuable resource without compromising our ability to adapt to client-specific requirements.
from react-oauth2-pkce.
videate-miguel
commented on August 20, 2024
Thank you so much, I really appreciated 🥳
from react-oauth2-pkce.
github-actions
commented on August 20, 2024
Stale issue message
from react-oauth2-pkce.
Related Issues (20)
- Compatibility with ie11 HOT 1
- 💡 [REQUEST] - Add ability to add headers to requests HOT 6
- 💡 [REQUEST] - Scope parameter is not supported on an authorization code access_token exchange request HOT 8
- Bug: Client authentication with confidential access isn't working HOT 6
- Bug: Redirects replace instead of creating a history entry HOT 2
- 💡 [REQUEST] - Parse (refresh) token expiration from token payload HOT 5
- 💡 [REQUEST] - Refresh access token without resetting the refresh token HOT 1
- Bug: "codeVerifier" and "state" are stored in sessionStorage despite "storage" parameter being "local" HOT 4
- Bug: Does not work correctly if routing type is hash HOT 2
- 💡 [REQUEST] - Pass extra parameters to login()-function
- 💡 [FEATURE] - Option in login()-function to not redirect, but instead do it in an iframe or popup HOT 1
- 💡 [REQUEST] - Enhance Logout Functionality HOT 2
- 💡 [Feature] - `postLogout`-callback HOT 2
- 💡 [Feature] - Allow for passing arbitrary arguments to `logOut()`
- Bug: codeVerifier is not set in sessionStorage (sometimes) HOT 4
- Bug: Refresh token has a fixed expiration time HOT 1
- /authorized?code complains 404 Not Found HOT 1
- Bug: Token is cleared before Logout HOT 4
- Bug: refreshAccessToken is only called once
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from react-oauth2-pkce.