I have several questions.
Authorization Code Flow and nonce
Do I need to verify the nonce on the client side when using Authorization Code Flow? In the general OAuth Provider implementation, the process of obtaining an access token from an authorization code only works once. From this, it seems that Authorization Code Flow already supports replay attack without using nonce?
Authorization Code Flow and ID Token
What are the benefits of using Authorization Code Flow in web applications? ID Token is a mechanism for authentication, not authorization, I understand that it is used to verify which OpenID Provider is authenticating which user for which Relaying Party.
But in Authorization Code Flow,
- OAuth 2.0 requires HTTPS to be used. From this, if the SSL certificate verification is correctly implemented, it will be a valid OpenID Provider's proof.
- In the general OAuth Provider implementation, when obtaining the access token from the authorization code, the combination of the authorization code, the client ID and the secret is verified below. From this, It will prove that is executing the access token acquisition process from the correct OAuth client.
- By specifying the state parameter to create an authorization request and verifying it when acquiring an access token, it will prove that is obtaining the access token from the correct user.