Description
Is your feature request related to a problem? Please describe.
As per the Getting started with OAuth2 section in the discordjs guide, the guide describes the implicit grant workflow.
It even states:
For basic applications like SPAs, getting an access token directly is enough.
Which is incredibly wrong. For a native app or an SPA, the access token should never be delivered to the frontend.
As per a page on oauth.net:
The OAuth 2.0 Security Best Current Practice document recommends against using the Implicit flow entirely, and OAuth 2.0 for Browser-Based Apps describes the technique of using the authorization code flow with PKCE instead.
The best current practices linked above is a new standard draft by IETF regarding best OAuth2 practices and recommendations. The only recommended OAuth2 workflow for Single Page Applications (SPAs) is the Authorization Code Grant with PKCE.
The PKCE workflow works by:
- Your backend generates a state parameter, a verifier and a matching challenge code, and redirects your user to the OAuth provider with the appropriate parameters. Refer to RFC-7636 for the PKCE workflow standards.
- The user logs in through the provider and is redirected to a frontend SPA URL with a code generated by the OAuth provider.
- The SPA then sends the code to the backend.
- The backend then submits both the code and the challenge (matching the verifier sent in the original request).
- The OAuth provider responds to the backend with an access token and a refresh token - neither of which should be obtained by your frontend client.
Describe the solution you'd like
Remove the implicit grant entirely from the guide.
Describe alternatives you've considered
Add a big red warning advising that the implicit grant is deprecated and insecure and should not be used.
Additional notes
Within the next couple of months I plan on releasing a full discord ouath2 workflow example repo that covers an SPA and secure practices, and I'd be happy for it to be reviewed and used as an example once it's up.