[Openid-specs-ab] openid connect and implicit/hybrid flows
Vittorio Bertocci
vittorio.bertocci at auth0.com
Wed May 11 14:08:13 UTC 2022
Thank you. Code flow is more onerous and doesn’t rely on the front channel
as much, hence I think one can say it is more secure. At the same time, it
requires more administrative overhead hence might or might not match the
security posture your scenario requires. Going to do groceries in a tank is
more secure than going in a bicycle, but that doesn’t me a the investment
is warranted. The front channel id_token isn’t that different from what
SAML has done for a long time, hence it remains a viable approach for many
scenarios.
On Wed, May 11, 2022 at 13:27 Nikos Fotiou <fotiou at aueb.gr> wrote:
>
> This message originated outside your organization.
>
>
> Hi Vittorio,
> Thanks for the response. I understand that the id_token is not affected.
> But my question really is "if I am interested only in id_token and I can
> use both hybrid flow and authorization code flow, is there any (security)
> reason to select the latter?" Or both flows are equally secure (again only
> wrt the id_token)?
>
> Best,
> Nikos
> --
> Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
> Researcher - Mobile Multimedia Laboratory
> Athens University of Economics and Business
> https://mm.aueb.gr
>
> > On 11 May 2022, at 1:54 PM, Vittorio Bertocci <
> vittorio.bertocci at okta.com> wrote:
> >
> > Hi Nikos,
> > The deprecation of the implicit flow in oauth2.1 is only about returning
> ACCESS tokens thru the front channel. The id_token is completely
> different- and unaffected.
> > The oauth2.1 draft has specific language addressing your very question,
> please refer to
> >
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05#section-10.1
> and if at all possible, spread that link far and wide :)
> >
> > On Wed, May 11, 2022 at 11:02 Nikos Fotiou via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
> > This message originated outside your organization.
> >
> >
> >
> > Hi all,
> >
> >
> >
> > I would love your opinion on the following. Since implicit flow is
> discouraged in OAuth 2.0 I was with the impression that implicit and
> hybrid flow should be avoided in openid connect as well.
> >
> >
> >
> > However, I was browsing Microsoft’s documentation for their Active
> directory B2C product, which supports openid connect, and all their
> examples are using hybrid flow (
> https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect).
> Moreover, they mention authorization code flow as something “fancy” ,
> which is used “only to web applications that need to make authenticated
> calls to a web API”. This is reflected to Microsoft’s Identity Web library
> (
> https://docs.microsoft.com/en-us/azure/active-directory/develop/microsoft-identity-web)
> where in order to use the authorization code flow you have to call a
> function which is named “EnableTokenAcquisitionToCallDownstreamApi”.
> >
> >
> >
> > So in scenarios where the RP in a regular web application that needs
> only the ID token:
> >
> > - Does implicit flow introduces security threats?
> >
> > - Should authorization code flow be preferred?
> >
> >
> >
> > Best,
> >
> > Nikos
> >
> >
> >
> > Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
> >
> > Researcher - Mobile Multimedia Laboratory
> >
> > Athens University of Economics and Business
> >
> > https://mm.aueb.gr
> >
> >
> >
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220511/7f3c5385/attachment.html>
More information about the Openid-specs-ab
mailing list