[Openid-specs-ab] add security warning to implicit grant or deprecation in OIDC
Axel.Nennker at telekom.de
Axel.Nennker at telekom.de
Sat Feb 17 12:31:39 UTC 2024
Hi,
IETF OAuth2 WG and OWASP are warning about implicit grant type.
OWASP writes in https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/05-Testing_for_OAuth_Weaknesses
" *: The implicit flow in OAuth only is deprecated, yet is still a viable solution within Open ID Connect (OIDC) to retrieve id_tokens. Be careful to understand how the implicit flow is being used"
We have https://openid.net/specs/openid-connect-implicit-1_0.html but I would prefer to have the threats and mitigations and maybe even a removal from oidc core for implicit flow in core directly.
Probably this has been discussed before but why is the OIDC spec not more explicit in warning about the implicit flows security threats or even deprecating implicit flow?
Kind regards
Axel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20240217/00ed1d65/attachment.html>
More information about the Openid-specs-ab
mailing list