Menu
I have trouble understanding the differences of the implicit and hybrid flows of the OpenId Connect protocol.
Can someone please highlight the practical and security differences of each flow? Thank you
402
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
Simply put, OpenID is used for authentication while OAuth is used for authorization. OpenID was created for federated authentication, meaning that it lets a third-party application authenticate users for you using accounts that you already have.
The Hybrid Flow is an OpenID Connect flow which incorporates characteristics of both the Implicit flow and the Authorization Code flow. It enables clients to obtain some tokens straight from the Authorization Endpoint, while still having the possibility to get others from the Token Endpoint.
There are three flow types: Authorization Code Flow. Implicit Flow. Hybrid Flow (OpenID Connect Only)
The implicit flow delivers tokens in the front channel i.e, via the browser, the hybrid flows deliver some tokens in the front channel and some in the back channel using direct HTTPs calls from client to Provider.
The back channel is generallly considered to be more secure since it does not expose tokens to HTTP logs, browser caches etc.
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
