Support the ongoing development of Laravel.io →
Laravel Authentication Security

I went thru multiple posts saying how implicit grant is a security risk and why auth code grant with AJAX request to Authorization server should be used after redirecting to application (without client_secret passed to Auth server).

Now in 2019 there is no CORS issue as I can allow app domains on authrization server.

I have following concerns

If I use implicit grant:

  1. Now implicit grant has security issues as Authorization server redirects to application server with token in url.
  2. If I set expiration time to 5 to 10 minutes, after expiration, user will be redirected to login and its problematic especially if he is filling up important form on application. What to do in this scenario? Note that there is no refresh token in Implicit grant to update with new token, so refresh token is out of the picture.

If I use Auth code grant: Suppose if I hit AJAX request after getting redirected to my main application site, and get token in exchange of code,

  1. Auth code grant uses client_secret. And in javascript app where anyone can see the code, we cant use secret.

What approach should be taken here? I am more inclined towards auth_code for SPA but the issue is how to deal with client_secret?

Thank you for reading.

There are multiple links that recommends use Auth code grant instead of SPA. A few out of multiple links :

https://www.oauth.com/oauth2-servers/single-page-apps/

https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926

Last updated 2 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2025 Laravel.io - All rights reserved.