[Openid-specs-ab] Guidance on what the different flows are for

Mike Jones Michael.Jones at microsoft.com
Wed Oct 30 01:22:25 UTC 2013


Several reviewers have requested guidance on when to use the different flows.  I believe that we'd be doing a service to our readers by providing it.

Several reviewers have objected to this text in http://openid.net/specs/openid-connect-core-1_0.html#Authentication - saying that sometimes the Code flow is used even when the client can't maintain the secrecy of the client_secret:
The Authorization Code Flow is suitable for Clients that can securely maintain a Client Secret between themselves and the Authorization Server whereas, the Implicit Flow is suitable for Clients that cannot.

I believe that that the statement would still be true if we changed the word "suitable" to "intended".  And then, as discussed in the F2F meeting, we could add the sentence:
"However, the Authorization Code flow is sometimes also used by Native applications in order to be able to obtain a Refresh Token, even when they cannot ensure the secrecy of the client_secret value."

Would that combination work for people?

Finally, I propose that we add this guidance about the Hybrid Flow:
"The Hybrid flow enables Clients to obtain an ID Token and/or Access Token with only one round trip to the Authorization Server, possibly minimizing latency, while still enabling Clients to later get tokens from the Token Endpoint - especially a Refresh Token."

Per the decision at the F2F, all this "guidance" text would move to the introduction.

Are people good with the wording above, or would you like to make alternative suggestions?

                                                                -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131030/705eebc1/attachment.html>


More information about the Openid-specs-ab mailing list