OpenID Connect: Implicit or Auth Code flow for SPAs?

About

Asked 20/9, 2018 at 13:58 Answered 28/2, 2019 at 14:1

Solved angular authentication oauth-2.0 single-page-application openid-connect

There are multiple auth flows in OIDC; Implicit and Auth Code flow are the 2 primary ones accessible to SPAs. Recent emails in the in the ietf mailing list indicating that Auth code flow should be preferred over implicit flow due to security issues of having access tokens show up in browser history and/or log files (if any SSL termination/inspection is in place/etc).

Are there any whitepapers or RFCs which support one flow over another? Is there an industry-standard/accepted approach today?

This has been cross-posted to SoftwareEngineering as it is somewhat of a debatable topic. I am not looking for opinions; but rather for official help/whitepaper/reference material that would support the claim of better security/implementation. I have been unable to find them, and consequently am not sure which method to use.

Astrograph answered 20/9, 2018 at 13:58 Comment(5)

Implicit flow is designed for SPA. Auth. code flow require a back-channel call to authorisation server. SPA cannot perform such as it runs on browser. But if SPA can use a backend (server) for the backend communication, then it is possible to use auth. code flow for SPA as well. I am not aware of any whitepapaer, RFC mentioning this. – Rockfish 21/9, 2018 at 3:34

@KavinduDodanduwa I don't see any reason that a JavaScript Lib cannot make an ajax call to recoup the Access/refresh tokens with auth code flow. Esp in the case of an SPA. That being said, is having a refresh token in an SPA a secure thing? I can't find any documentation to that extent. – Astrograph 21/9, 2018 at 13:33

Indeed they can. But isn't that JS runs on browser ? Won't the end user be able to see the request and response data ? That's what needs to be avoided. Well OAuth doesn't provide refresh tokens for implicit flow.! That's mandated by specification – Rockfish 21/9, 2018 at 18:4

I understand your concern. This type of pattern should also be supported by OIDC provider. I don't think all the implementation allows posting to Token endpoint without client credentials (using just code and redirect uri). However, there is a good write up on this oauth.com/oauth2-servers/single-page-apps – Income 7/10, 2018 at 21:2

Use code flow with PKCE, see my answer on Software Engineering – Annitaanniversary 16/1, 2020 at 23:13

This has been cross-posted to SoftwareEngineering as it is somewhat of a debatable topic. I am not looking for opinions; but rather for official help/whitepaper/reference material that would support the claim of better security/implementation. I have been unable to find them, and consequently am not sure which method to use.

There was some movement with respect to public clients (SPAs) in late 2018. Now there are two drafts of best practices both suggesting using auth code flow instead of implicit.

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-11
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-00

Carburetor answered 28/2, 2019 at 14:1 Comment(3)

Thanks for the insight/update. It actually provides some additional food for thought and aligns a little bit better with my expectations. – Astrograph 21/1, 2020 at 15:3

More info learn.microsoft.com/en-us/azure/active-directory/develop/… – Muniz 29/9, 2021 at 11:53

Basically forget about implicit code flow. It's deprecated. – Muniz 29/9, 2021 at 11:53

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags