[Openid-specs-ab] openid connect and implicit/hybrid flows

Vittorio Bertocci vittorio.bertocci at auth0.com
Wed May 11 10:56:51 UTC 2022 

Hi Nikos,
The deprecation of the implicit flow in oauth2.1 is only about returning
ACCESS tokens thru the front channel.  The id_token is completely
different- and unaffected.
The oauth2.1 draft has specific language addressing your very question,
please refer to
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05#section-10.1
<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05*section-10.1__;Iw!!PwKahg!_eMmywOMLBENliklEmHt868yr-zWudlUEbFhe9Jjr8VHWz3P3zbx9KyHfGopTMakS8DV53MlDFP8T6qtluYm1Na8FcPgnoC5-AL_Zg$>
and
if at all possible, spread that link far and wide :)

On Wed, May 11, 2022 at 11:02 Nikos Fotiou via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> *This message originated outside your organization.*
>
> ------------------------------
>
> Hi all,
>
>
>
> I would love your opinion on the following. Since implicit flow is
> discouraged in OAuth 2.0  I was with the impression that implicit and
> hybrid flow should be avoided in openid connect as well.
>
>
>
> However, I was browsing Microsoft’s documentation for their Active
> directory B2C product, which supports openid connect, and all their
> examples are using hybrid flow (
> https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect).
> Moreover,  they mention authorization code flow as something “fancy” ,
> which is used “only to web applications that need to make authenticated
> calls to a web API”.  This is reflected to Microsoft’s Identity Web library
> (
> https://docs.microsoft.com/en-us/azure/active-directory/develop/microsoft-identity-web)
> where in order to use the authorization code flow you have to call a
> function which is named “EnableTokenAcquisitionToCallDownstreamApi”.
>
>
>
> So in scenarios where the RP in a regular web application that needs only
> the ID token:
>
> - Does implicit flow introduces security threats?
>
> - Should authorization code flow be preferred?
>
>
>
> Best,
>
> Nikos
>
>
>
> Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
>
> Researcher - Mobile Multimedia Laboratory
>
> Athens University of Economics and Business
>
> https://mm.aueb.gr
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220511/1b587af5/attachment.html>

More information about the Openid-specs-ab mailing list