Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Clients : Implicit Javascript Client #80

Closed
pksorensen opened this issue May 10, 2014 · 5 comments
Closed

Clients : Implicit Javascript Client #80

pksorensen opened this issue May 10, 2014 · 5 comments
Assignees
Labels

Comments

@pksorensen
Copy link
Contributor

    <!-- for JWS -->
    <script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/components/core.js"></script>
    <script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/components/sha1.js"></script>
    <script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/components/sha256.js"></script>
    <script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/components/x64-core.js"></script>
    <script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/components/sha512.js"></script>

    <script src="http://kjur.github.io/jsrsasign/ext/base64.js"></script>
    <script src="http://kjur.github.io/jsrsasign/ext/jsbn.js"></script>
    <script src="http://kjur.github.io/jsrsasign/ext/jsbn2.js"></script>
    <script src="http://kjur.github.io/jsrsasign/ext/rsa.js"></script>
    <script src="http://kjur.github.io/jsrsasign/ext/rsa2.js"></script>
    <script src="http://kjur.github.io/jsrsasign/rsapem-1.1.js"></script>
    <script src="http://kjur.github.io/jsrsasign/rsasign-1.2.min.js"></script>
    <script src="http://kjur.github.io/jsrsasign/asn1hex-1.1.js"></script>
    <script src="http://kjur.github.io/jsrsasign/x509-1.1.js"></script>
    <script src="http://kjur.github.io/jsrsasign/crypto-1.1.js"></script>
    <script src="http://kjur.github.io/jsrsasign/base64x-1.1.js"></script>

    <script src="Scripts/json-sans-eval.js"></script>
    <script src="Scripts/jws-3.0.js"></script>
    <!-- /for JWS -->

Possible that you guys could give a short comment on all above scripts?

Is it just the the purpose of decoding, showing content of the tokens in the browser?

In real world applications would people do stuff like that? Is the more used approach not to use the token to ask the user endpoint to get the claims / profile.

I am wondering if you have a good usecase where you have used this in real world applications to decode the jwt tokens on the client.

@brockallen
Copy link
Member

We will eventually provide some JS to validate id tokens and this is a JS library we are using for now to do that (since it already implemented all the JWT validation).

@leastprivilege
Copy link
Member

The OIDC spec requires that the first thing you do in your client app is to validate the identity token. This sample will eventually show how this works in JS. But we are done yet.

@pksorensen
Copy link
Contributor Author

I figured that it was not done, some other comment/task here indicated it.

Makes sense. So validate the identity token.

The reason why I might not have seen this before when working with oauth2, could it be normal behavior that you just request a token and pass it on to the resource api again and its not important to validate the token if its not used in the client but only to access remote resources.

@leastprivilege
Copy link
Member

Right - OAuth2 is not about authentication ;) But in OIDC the client is actually the consumer of the identity token.

@brockallen
Copy link
Member

Dup of this: #13

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

3 participants