Menu
There are multiple auth flows in OIDC; Implicit and Auth Code flow are the 2 primary ones accessible to SPAs. Recent emails in the in the ietf mailing list indicating that Auth code flow should be preferred over implicit flow due to security issues of having access tokens show up in browser history and/or log files (if any SSL termination/inspection is in place/etc).
Are there any whitepapers or RFCs which support one flow over another? Is there an industry-standard/accepted approach today?
This has been cross-posted to SoftwareEngineering as it is somewhat of a debatable topic. I am not looking for opinions; but rather for official help/whitepaper/reference material that would support the claim of better security/implementation. I have been unable to find them, and consequently am not sure which method to use.
976
OpenID Connect supports the following authentication flows: The Implicit Flow is required for apps that have no “back end” logic on the web server, like a Javascript app. The Authentication (or Basic) Flow is designed for apps that have a back end that can communicate with the IdP away from prying eyes.
It is not recommended to use the implicit flow (and some servers prohibit this flow entirely) due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.
The Authorization Code flow is best used in web and mobile apps. Since the Authorization Code grant has the extra step of exchanging the authorization code for the access token, it provides an additional layer of security not present in the Implicit grant type.
Session Auth is just Token authentication, but with a few differences that make it seem like a slightly different thing: Users start with an unauthenticated token. The backend maintains a 'state' object that is tied to a user's token. The token is provided in a cookie.
This has been cross-posted to SoftwareEngineering as it is somewhat of a debatable topic. I am not looking for opinions; but rather for official help/whitepaper/reference material that would support the claim of better security/implementation. I have been unable to find them, and consequently am not sure which method to use.
There was some movement with respect to public clients (SPAs) in late 2018. Now there are two drafts of best practices both suggesting using auth code flow instead of implicit.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-11
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-00
193
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
