Disadvantages of the Implicit Authorization Workflow vs Authorization Code Grant for Authentication Only?

3
votes

I cannot figure out advantages of using Authorization Code Grant vs. Implicit Flow for authentication purposes only for a classic web-app?

Say, there is an web-app which authenticates via a 3rd party Iaas provider. The web-app only needs to know if a user (identified by some ID) is authenticated. The web-app does not hit any 3rd party services and so does not need to have any access tokens for authorisation purposes.

In this example, I do not see how getting user_id (JWT token) directly into the web-browser from the IaaS is less secure then getting the same user_id via the web backend? In both cases a session will be established. What do I loose if I use implicit grant in this case?

2
oauth-2.0jwtopenid

2 Answers

1
votes

Depends where your web-app runs. If it runs completely on the browser (e.g. it's a javascript app or SPA) then I would use the implicit flow because the Authorization code grant is optimised for confidential clients.

If your web-app runs on a server then it's more secure to use the Authorization code grant because the token would be send from the IaaS provider (Auth server) directly to the web app server (client) and not via a user's (resource owner) browser.

1
votes

Implicit Flow is a legacy flow and was during a time when browsers could only make calls to same origin server. One of the issue when using implicit flow is that it returns the access token in redirect. The redirect can be part of the browser history which contains the access token. Also if multiple devices history are synced with your browser it increases the security risk.

While in Authorization Code flow (with PKCE) does not have the access token as part of the Url which make it bit more secure.

You can refer Is the OAuth 2.0 Implicit Flow Dead? for more details