Implicit grant type supported? about appauth-android HOT 5 CLOSED

People use the term implicit in two ways.

1, to describe fragment encoding the response
2, to refer to the token response_type

The token response type has some security issues as it cannot be protected from interception via PKCE.
That you likely will not see. (fragment encoded access tokens may go away in future revisions of OAuth)

The hybrid response types like "code id_token" are potentially useful for native apps and may get supported.

We were discussing that last week.

What are you looking for?

Regards

from appauth-android.

I am referring to Section 4.2 of RFC 6749. Based on my understanding of the RFC, I think I am referring to token response_type. From your comment above, it looks like you don't have plans to support it for security reasons. Is that correct?

from appauth-android.

The "token" response type is not recommended for native apps.

The problem is that custom scheme redirects may be intercepted by other than the intended target especially on iOS (it can happen on Android as well but the user is warned).

That flow was intended for JavaScrypt clients executing in a browser and not for native applications.

To set the best example I don't expect it to be supported in the AppAuth.

Regards
John B.

from appauth-android.

Thanks a lot for your quick response.

from appauth-android.

I made some comments related to this in #75 - it would be possible to support in the library, but probably with some pretty onerous version restrictions (Android M and up) to guarantee any kind of security. I agree with John that code flows that grant refresh tokens are much better for native apps, particularly if the tokens granted through the implicit flow have short expirations.

from appauth-android.