Add Login Using the Authorization Code
Also, as was suggested in the latter, I followed the Quckstart as well, making sure my code and config are identical to the given example.
Then I disabled all the authentication flows except Authorization Code and Refresh Token. Now I when I try login with my test user I get an error saying: unauthorized_client : Grant type ‘implicit’ not allowed for the client.
When I enable Implicit flow of course it works, but why would I need to enable it even though the documentation says I’m doing an Authorization Code flow?
If the documentation is wrong (or misleading) how can I enable Authorization Code flow (as opposed to Implicit flow) in the given ASP.NET MVC (OWIN) example?
What OWIN example are you using for this ? Implicit Flow runs client side (javascript apps). In an MVC application, there is a callback url running server side so it should be Authorization Code Flow as you stated. In your case, it seems the redirection to the Authorization Server is happening client side so it tries to use implicit flow.
This is the redirection I pasted from the browser; broken down in multiple lines to make it more readable.
https://.eu.auth0.com/authorize?client_id=&
redirect_uri=%2Fcallback&
response_type=code%20id_token&
scope=openid%20profile%20email&state=OpenIdConnect.AuthenticationProperties%3D4Lp7Uxk2sNstiaR2pqrC3PJwy8r_YzVlLEbl_hEpf-3N6yzQ_VTw2jXFKXTsg4I7I_AbhDv8CMimSoiVHeLl_nDDrKpajQQVjhp2gdnbJ7IOfLl1H-PRsGFXTnjFt-5CK7IZHLxC1mpyWuKmm7I7Vbh9Fzu4FpC3NXi71fYoZO7iRvcjesINmAdQc3xgOsO690jyxkG_f1xn1C5fBSiGiKN_4ARi4XU9YDl3tdqr11g&
response_mode=form_post&
nonce=637502075583186529.MTNhZmVhYWUtZDdjZi00YjZlLThlZGQtYzU4NDUyYTU0NDIwZjBiZmM3M2YtMTVjZS00YmQzLTkyYzUtZWIyOTA5ODIwYjE3&
x-client-SKU=ID_NET461&
x-client-ver=5.3.0.0
I’m also expecting it to be Authorization Code Flow, but why when I turn off Implicit in the Advanced settings, it stops working and gives me the error:
I realize that this question was asked a while ago, but I thought I’d follow up since we just ran in to the same problem.
It looks like the ASP.NET OWIN example is a little outdated with respect to the recommended flows. I think the reason for the warning is that you are requesting both code and id_token in the response_type, which triggers the Hybrid Flow rather than the Authorization Code Flow. And as far as I can tell, the Implicit grant type must be enabled to use Hybrid Flow.
So you can either choose to enable the Implicit grant type (not recommended), or remove id_token from the response_type argument and find a way to handle the token exchange.
I would also like to add that, I believe using Implicit Flow is a good idea, as long as you ensure you set the response type to be form_post. Doing so ensures you have no need to use a Client Secret (even though that is kept server-side, it is still better not having to use any at all), and should be perfectly fine unless you have the need to call an external API using an Access Token, in that case you probably want to resort to the Authorization Code Flow as being mentioned above.
Thanks @StephanieMunck and @frederik.prijck I will give both of these a try and post here if it worked (or not). It is pity though if the official samples that are just a few are not up to date with the latest evolutions.
I can confirm too that for ASPNET MVC/OWIN to work correctly with OIDC you need both values set in Options otherwise Auth0 considers the request as of type Implicit (even if it’s not).