4

In researching OAuth 2.0, I see that implicit grant is no longer recommended:-

In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or any other response type issuing access tokens in the authorization response, such as "token id_token" and "code token id_token", unless the issued access tokens are sender-constrained and access token injection in the authorization response is prevented.

(source OAuth 2.0 Security Best Current Practice)

I'm looking into the implementation of Open ID Connect (specifically the Microsoft implementation for Azure AD) and notice the OpenID concept of implicit flow is the basis for many of their implementation examples.

I can see that implicit grant != implicit flow, however, the explanations of the various scenarios seem to indicate that it works the same way, and it's not immediately obvious what the material differences are (at least to me).

For example, the flow diagrams for implicit grant and OpenID connect appear to be very similar.

Is OpenID Connect implicit flow as unsafe as OAuth 2.0 implicit grant, or does it somehow avoid/mediate the issues that cause implicit grant to be discouraged?

Improve this question

    1 Answer 1

    Reset to default
    8

    Implicit Flow is now discouraged in favour of Code Flow with PKCE. This is a fairly recent change (in the last year or so), which is why you might see quite a lot of documentation and libraries still recommending Implicit Flow, and support for Code Flow with PKCE is sometimes still lacking in OIDC libraries.

    The main concern with Implicit Flow is that at the end of the authentication process, the user is redirected from the identity provider to your app with an access token in the URL. Visited URLs are often stored in browser history and other places, so there is a risk of a malicious actor gaining access to that token and impersonating the logged in user.

    Code Flow with PKCE on the other hand makes a HTTP request for the token instead, allowing it to be returned in the body of the response.

    This blog has a good comparison of the two.

    Improve this answer
    0

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.