[Openid-specs-ab] openid connect and implicit/hybrid flows
Nikos Fotiou
fotiou at aueb.gr
Wed May 11 08:53:40 UTC 2022
Hi all,
I would love your opinion on the following. Since implicit flow is
discouraged in OAuth 2.0 I was with the impression that implicit and hybrid
flow should be avoided in openid connect as well.
However, I was browsing Microsoft's documentation for their Active directory
B2C product, which supports openid connect, and all their examples are using
hybrid flow
(https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect)
. Moreover, they mention authorization code flow as something "fancy" ,
which is used "only to web applications that need to make authenticated
calls to a web API". This is reflected to Microsoft's Identity Web library
(https://docs.microsoft.com/en-us/azure/active-directory/develop/microsoft-i
dentity-web) where in order to use the authorization code flow you have to
call a function which is named "EnableTokenAcquisitionToCallDownstreamApi".
So in scenarios where the RP in a regular web application that needs only
the ID token:
- Does implicit flow introduces security threats?
- Should authorization code flow be preferred?
Best,
Nikos
Nikos Fotiou - <http://pages.cs.aueb.gr/~fotiou>
http://pages.cs.aueb.gr/~fotiou
Researcher - Mobile Multimedia Laboratory
Athens University of Economics and Business
<https://mm.aueb.gr> https://mm.aueb.gr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220511/ef58e486/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6501 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220511/ef58e486/attachment.p7s>
More information about the Openid-specs-ab
mailing list