I want to connect my angular2 frontend app with symfony backend. So I'm using FOSOAuthServerBundle (https://github.com/FriendsOfSymfony/FOSOAuthServerBundle) to authorize my frontend app, but I don't understand clearly how to implement this.
I tried "token" endpoint method, but there I had to send client_id and client_secret, from my angular2 app. And I think it's bad to store client_secret in public.
"Authorize" endpoint don't use client_secret, but is demanding login form, what is not good for my case.
I tried custom grant extension, but FOSOAuthServerBundle also requires to validate client with client_secret.
What is best practice authorize angular2 with symfony? It's ok to store client_secret in frontend? Or should I extend FOSOAuthServerBundle and remove client_secret checking?
You're correct about client_secret. It's not valid practice to publish secret key more widely.
Unfortunately at this moment FOSOAuthBundle is not suitable to your needs. This bundle focus only about backend OAuth clients. They have open issue on github to add support of public clients: https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/266
One thing to clarify regarding token & authorize endpoints - token and authorize endpoints have to be mixed in process of access to your resource. I suggest you to read whole RFC to understand process of authorization with OAuth: https://www.rfc-editor.org/rfc/rfc6749