we are getting window is not defined error as below.

ReferenceError: window is not defined at new Provider (webpack:///./src/provider.js?:42:86) at Object.<anonymous> (/home/Demo-App/demo/tmp/webpack:/src/routes/requireAuthentication.js:10:20) at webpack_require (/home/Demo-App/demo/tmp/webpack:/webpack/bootstrap 4f5669005e928a572010:19:1) at Object.exports.__esModule (/home/Demo-App/demo/tmp/webpack:/src/routes.js:15:1) at webpack_require (/home/Demo-App/demo/tmp/webpack:/webpack/bootstrap 4f5669005e928a572010:19:1) at Object.<anonymous> (/home/Demo-App/demo/tmp/webpack:/server.babel.js:9:1) at webpack_require (/home/Demo-App/demo/tmp/webpack:/webpack/bootstrap 4f5669005e928a572010:19:1) at Object.<anonymous> (/home/Demo-App/demo/tmp/bundle.js:50:19) at webpack_require (/home/Demo-App/demo/tmp/webpack:/webpack/bootstrap 4f5669005e928a572010:19:1) at /home/Demo-App/demo/tmp/webpack:/webpack/bootstrap 4f5669005e928a572010:39:1

I receive a window is not defined error at

var provider = new OAuth.Provider({ 
id: 'google', // required 
authorization_url: 'https://google.com/auth' // required
 }); 

our package json versions are as below.

"oauth2-client-js": "0.0.15", 
"react": "^15.4.0", 
"react-dom": "^15.4.0"

Hello sir, i am using your package in vue cli 3 and trying to get data form github. But the problem is it returning response as html/text. How can i get the response as json?

If a request fails, like when the auth-endpoint is not available, the remembered request will stay in localstorage. Doesn't it make sense to clear of all remembered request if one succeeds?

Because it's just localStorage.clear().

I'm stepping down as a maintainer of this project, anyone wants to take over? It has around ~150 downloads/month and room for improvement (support for APIs not conforming to OAuth2 RFC, more grant flows).

Trying to use the Javascript library as client side javascript and using the example:

var OAuth = require('@zalando/oauth2-client-js');
var google = new OAuth.Provider({
id: 'google', // required
authorization_url: 'https://google.com/auth' // required
});

But you cannot use require on client side javascript - am I missing something?

var response = google.parse(window.location.href);

Should use window.location.hash instead of window.location.href

Hi, the authorization endpoint I am working with need to set response_type as "id_token token".
However I found the request I sent only had "token". Then I find out that in your OAuthImplicitRequest constructor, the response_type is overwrote to be "config.response_type = 'token';". It doesn't set nonce either. Would you consider to change it?

After retrieving the access token, the client should forget the state, stored in the localStorage. This doesn't seem to work always (open https://yourturn.stups.zalan.do/ and look into the localStorage in the Browser's console, I have 83 state objects stored). Could you implement some sort of cleanup? In one of our projects I use the following:

let localStorage = window.localStorage;
for (let [key] of Object.entries(localStorage)) {
        if (key.startsWith(provider.id)) {
            window.localStorage.removeItem(key);
        }
}

The most recent version of this library published to npmjs.org is v0.0.15, which is from May 2015. Releases
v0.0.16 and v0.0.17 are tagged in the source repo, but they were never published.

Can we please get a new version published to npm? Thanks.

As a user of TypeScript I would really like to be able to use this library with strong typing.

If it's okay with you guys I am willing to try and make the declaration files

node-uuid gives a warning nowadays

According to the rfc, the ROPC flow can also be used when there is a high degree of trust between the resource owner and the client, as it's the case with a first-party app, where the use of an implicit flow would hurt UX. OAuth2-client lacks this ROPC flow.

At the moment, the distribution is built with eval, making minification in userland impossible. devtool: 'eval' should be removed, or enabled only for a development build

I am willing to attempt a PR. Also, do you think it is a good idea to update to Webpack 3 at the same time? I could do that also

Remembering a request will create an entry in localStorage with the key as the concatenation of provider ID and state (uuid)
Only when the user completes the login flow, the entry is cleaned automatically by the library. If the user drops out of the login process and comes back later, a new request will be remembered and the old entry remains, thus gradually fill up localStorage

Could you give a recommended solution for this?

metadata for instance.

This looks useful to the non-Zalando world -- can/should we promote?

Please add the index.d.ts at the root of the NPM package so TypeScript compilers can find it. Alternatively add the typings property in package.json and the .d.ts with some other name.

microsoft/TypeScript#9854

For all of the config keys, the provided values should be used instead of the default ones, if they were present in the config.

This way, something like the 'state' can be set to a specific value, instead of being "hardcoded".

Hello,

Im trying to get a quick oauth mock flow working and currently having issues with the response_type, here is the output of running oauth2-client-js:

Running on http://localhost:8282
        expected Client ID: dummy-client-id
        expected Client Secret: dummy-client-secret
        authorization endpoint: /auth/request/path
        access token endpoint: /access/token/request
        redirect URLs: http://mysite.test/#!/user/login/callback
GET /auth/request/path?response_type=token&scope=&client_id=dummy-client-id&redirect_uri=http%3A%2F%2Fmysite.test%2Fuser%2Flogin%2Fcallback&state=7acfebb1-c2d7-42ff-9cc3-925fa77d3a9b 401 Authorization: - Debug info: Error: expected response_type: "code" but actual: "token" Redirect: -

The website ends up of course in a 401. And this is how I'm building the redirect uri:

const provider = new OAuth.Provider({
    id: 'fake',  
    authorization_url: 'http://localhost:8282/auth/request/path'
});

const request = new OAuth.Request({
    client_id: 'dummy-client-id', 
    redirect_uri: 'http://mysite.test/user/login'
    , response_type: 'token'
})

const uri = provider.requestToken(request);
provider.remember(request);
window.location.href = uri;

Perhaps related to #28 but any clue on how to set this to code? or have the library accept token as its hardcoded in https://github.com/zalando-stups/oauth2-client-js/blob/master/src/request.js#L25

When I try and use this with linked I get an error in the response hash.

Decoded for readability.

error=unsupported_response_type
error_description=We only support a response_type of "code" but you passed "token"

LinkedIn only works with code but the response type is hardcoded to token in request.js. If response types were configurable would this package work with the type code?