<div><div dir="auto" style="font-size:1rem;color:rgb(49,49,49);word-spacing:1px">Hi Nikos,</div><div dir="auto" style="font-size:1rem;color:rgb(49,49,49);word-spacing:1px">The deprecation of the implicit flow in oauth2.1 is only about returning ACCESS tokens thru the front channel. The id_token is completely different- and unaffected. </div><div dir="auto" style="font-size:1rem;color:rgb(49,49,49);word-spacing:1px">The oauth2.1 draft has specific language addressing your very question, please refer to <div dir="auto" style="font-size:1rem"><a href="https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05*section-10.1__;Iw!!PwKahg!_eMmywOMLBENliklEmHt868yr-zWudlUEbFhe9Jjr8VHWz3P3zbx9KyHfGopTMakS8DV53MlDFP8T6qtluYm1Na8FcPgnoC5-AL_Zg$" target="_blank" style="font-size:1rem">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05#section-10.1</a> and if at all possible, spread that link far and wide :)</div></div></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 11, 2022 at 11:02 Nikos Fotiou via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EL" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div>
<p><strong>This message originated outside your organization.</strong></p><br>
<hr><br>
</div><div class="m_8384906290959538088WordSection1"><p class="MsoNormal"><span lang="EN-US">Hi all,<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US">I would love your opinion on the following. Since implicit flow is discouraged in OAuth 2.0 I was with the impression that implicit and hybrid flow should be avoided in openid connect as well. <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US">However, I was browsing Microsoft’s documentation for their Active directory B2C product, which supports openid connect, and all their examples are using hybrid flow (<a href="https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect" target="_blank">https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect</a>). Moreover, they mention authorization code flow as something “fancy” , which is used “only to web applications that need to make authenticated calls to a web API”. This is reflected to Microsoft’s Identity Web library (<a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/microsoft-identity-web" target="_blank">https://docs.microsoft.com/en-us/azure/active-directory/develop/microsoft-identity-web</a>) where in order to use the authorization code flow you have to call a function which is named “EnableTokenAcquisitionToCallDownstreamApi”.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US">So in scenarios where the RP in a regular web application that needs only the ID token:<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">- Does implicit flow introduces security threats?<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">- Should authorization code flow be preferred?<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US">Best,<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">Nikos<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US">Nikos Fotiou - </span><a href="http://pages.cs.aueb.gr/~fotiou" target="_blank"><span lang="EN-US" style="color:#0563c1">http://pages.cs.aueb.gr/~fotiou</span></a><span lang="EN-US"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">Researcher - Mobile Multimedia Laboratory<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">Athens University of Economics and Business<u></u><u></u></span></p><p class="MsoNormal"><a href="https://mm.aueb.gr" target="_blank"><span style="color:#0563c1">https://mm.aueb.gr</span></a><u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p></div></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div></div>