[Openid-specs-ab] openid connect and implicit/hybrid flows

Nikos Fotiou fotiou at aueb.gr
Wed May 11 11:27:32 UTC 2022 

Hi Vittorio,
Thanks for the response. I understand that the id_token is not affected. But my question really is "if I am interested only in id_token and  I can use both hybrid flow and authorization code flow, is there any (security) reason to select the latter?" Or both flows are equally secure (again only wrt the id_token)?

Best,
Nikos
--
Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
Researcher - Mobile Multimedia Laboratory
Athens University of Economics and Business
https://mm.aueb.gr

> On 11 May 2022, at 1:54 PM, Vittorio Bertocci <vittorio.bertocci at okta.com> wrote:
> 
> Hi Nikos,
> The deprecation of the implicit flow in oauth2.1 is only about returning ACCESS tokens thru the front channel.  The id_token is completely different- and unaffected. 
> The oauth2.1 draft has specific language addressing your very question, please refer to 
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05#section-10.1 and if at all possible, spread that link far and wide :)
> 
> On Wed, May 11, 2022 at 11:02 Nikos Fotiou via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> This message originated outside your organization.
> 
> 
> 
> Hi all,
> 
>  
> 
> I would love your opinion on the following. Since implicit flow is discouraged in OAuth 2.0  I was with the impression that implicit and hybrid flow should be avoided in openid connect as well.
> 
>  
> 
> However, I was browsing Microsoft’s documentation for their Active directory B2C product, which supports openid connect, and all their examples are using hybrid flow (https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect). Moreover,  they mention authorization code flow as something “fancy” , which is used “only to web applications that need to make authenticated calls to a web API”.  This is reflected to Microsoft’s Identity Web library (https://docs.microsoft.com/en-us/azure/active-directory/develop/microsoft-identity-web) where in order to use the authorization code flow you have to call a function which is named “EnableTokenAcquisitionToCallDownstreamApi”.
> 
>  
> 
> So in scenarios where the RP in a regular web application that needs only the ID token:
> 
> - Does implicit flow introduces security threats?
> 
> - Should authorization code flow be preferred?
> 
>  
> 
> Best,
> 
> Nikos
> 
>  
> 
> Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
> 
> Researcher - Mobile Multimedia Laboratory
> 
> Athens University of Economics and Business
> 
> https://mm.aueb.gr
> 
>  
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4800 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220511/583551d6/attachment.p7s>

More information about the Openid-specs-ab mailing list