Hello ! I dont understand why authorization code is default mode in keycloak.js adapter ?
(for SPA javascript application) Should it be implicit flow instead ? Is it safe to use
this flow for public clients ? I know that 'sending access token in the url
fragment can be security vulnerability', but - authorizaiton code is also
returned in query params - CORS needs to be enable on server side (to exchange code for
token via POST) - we have an extra step - we can use refresh tokens, but we can also
make this work in implicit flow (hidden iframe) If my arguments are wrong: why do we
need implicit flow if it is authorization code ? how does it relate to openidconnect ,
oauth specification ? Thanks !
Show replies by date