webadmin: remove the implicit flow

we now use pkce . main advantage is that we don't see the access token in the url anymore. in pkce, the auth code by itself is useless. need the verifier. fixes #844
2026-03-14 22:06:17 +05:30
parent dc1449c7b6
commit c15e342bb8
7 changed files with 101 additions and 28 deletions
--- a/src/oidcclients.js
+++ b/src/oidcclients.js
@@ -61,8 +61,9 @@ async function get(id) {
            id: ID_WEBADMIN,
            secret: 'notused',
            application_type: 'web',
-            response_types: ['code', 'code token'],
-            grant_types: ['authorization_code', 'implicit'],
+            token_endpoint_auth_method: 'none',
+            response_types: ['code'],
+            grant_types: ['authorization_code'],
            loginRedirectUri: `https://${dashboardFqdn}/authcallback.html`
        };
    } else if (id === ID_DEVELOPMENT) {
@@ -70,8 +71,9 @@ async function get(id) {
            id: ID_DEVELOPMENT,
            secret: 'notused',
            application_type: 'native', // have to use native here to support plaintext http on localhost
-            response_types: ['code', 'code token'],
-            grant_types: ['authorization_code', 'implicit'],
+            token_endpoint_auth_method: 'none',
+            response_types: ['code'],
+            grant_types: ['authorization_code'],
            loginRedirectUri: 'http://localhost:4000/authcallback.html'
        };
    } else if (id === ID_CLI) {
--- a/src/oidcserver.js
+++ b/src/oidcserver.js
@@ -36,15 +36,14 @@ import mailpasswords from './mailpasswords.js';
 const { log, trace } = logger('oidcserver');


-// 1. Index.vue starts the OIDC flow by navigating to /openid/auth. Webadmin sets callback url to authcallback.html + implicit flow
+// 1. Index.vue starts the OIDC flow by navigating to /openid/auth. Webadmin uses authorization code flow with PKCE
 // 2. oidcserver starts an interaction and redirects to oidc_login.html
 // 3. oidc_login.html is rendered by renderInteractionPage() with the form submit url /interaction/:uid/login
 // 4. When form is submitted, it invokes interactionLogin(). This validates user creds
 // 5. We enter the scopes confirmation flow which is oidc_interaction_confirm.html rendered by renderInteractionPage()
 // 6. We have no concept of confirmation. The page auto-submits the form immediately without user interaction
 // 7. oidcserver calls interactionConfirm() which finishes it via interactionFinished().
-
-// FIXME: webadmin's implicit flow (response_type=code token) results in authcallback.html being called with access_token query param. We should remove this
+// 8. authcallback.html exchanges the authorization code for an access token via POST to /openid/token with code_verifier

 const ROUTE_PREFIX = '/openid';

@@ -719,8 +718,8 @@ async function start() {
            keys: [ cookieSecret ]
        },
        pkce: {
-            required: function pkceRequired(/*ctx, client*/) {
-                return false;
+            required: function pkceRequired(ctx, client) {
+                return client.clientId === 'cid-webadmin' || client.clientId === 'cid-development';
            }
        },
        clientBasedCORS(ctx, origin, client) {