My expectation was that the app developer would use their own redirectURL, and point it to a…

Right, and this alludes to the problems. 1) If the app has no server, then the developer doesn’t have a server/address they control. So if not back to the app itself, where does one redirect the user? 2) This scenario is covered by the implicit flow, not the client flow. In the implicit flow, the user does not exchange an authorization code; rather, they get an id_token and token directly for the auth endpoint. When using the implicit flow, the client must take care not to leak those tokens, but sending the user to a dummy address “leaks.”

For a server-less Cordova application, how can one implement the implicit flow of OpenID Connect?

Like what you read? Give Ben Botto a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.