IMPORTANT NEWS - "IMPLICT GRANT " FLOW

[Lori Pettebone-Koraganie]

Attention all BB2.0 Applications & SBX Users,

Important News

The "Implicit Grant" flow is now discouraged by OAuth 2.0 best practices and is being deprecated in the OAUTH 2.1 specifications. The Blue Button 2.0 team will be requiring Apps and Sandbox users currently using the “Implicit Grant” flow to discontinue using this spec as we move toward deprecating it.

We are requesting Applications and Sandbox users using the "Implicit Grant" flow to update their apps, and we ask that no new sandbox users utilize the "Implicit Grant" flow in new development. This will mean that your applications will need to be updated to utilize the "Authorization Code Grant" flow. The information on how that can be accomplished can be found here.

Although not currently required, it is recommended to utilize the OAuth 2.0 PKCE (Proof-Key for Code Exchange) extension for improved security in the authorization flow. We plan to cutoff access utilizing the "Implicit Grant" method by June 30, 2021.

If you have any questions or concerns with this timeline or next steps, please reach out via the Google Group.  

As always, we welcome your feedback.

Regards,
The Blue Button 2.0 Team

[Sai Valluripalli]

Hi Lori,

In our API we have implemented a filter where all the HTTPS requests are routed and we validate the token. I am looking for Blue Button Issuer URL and  Unable to locate it. Can you help me finding this information?

During the registration process, I haven't found any details about the URLs except the callback URL.

Appreciate your support.

Thank you,

Sai