88°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • OAuth WG

    Implicit flow in the Security BCP draft -14

    February 12, 2020

    Hi all, I'm reading through the latest draft of the Security BCP, and noticed something I was hoping to get some clarification on. From the latest draft -14 section 2.1.2:

    In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or other response types issuing access tokens in the authorization response, unless access token injection in the authorization response is prevented and the aforementioned token leakage vectors are mitigated.

    My understanding is that there is no way to prevent access token injection in the authorization response with just OAuth. It's only once you introduce OpenID Connect that it becomes possible to prevent ID token injection. If my understanding is correct, then it seems like it would be more appropriate for the security BCP to say something like "access tokens MUST NOT be issued via the implicit grant." That would technically still leave open the possibility of using the hybrid response types in OIDC as long as the access token is delivered via the authorization code exchange, but clarifies that there is no way to protect the delivering access tokens via the implicit grant.

    So my question for the list is am I forgetting about some way to prevent this attack in OAuth? If not, can we rephrase this section of the Security BCP to better clarify the intent here?

    Portland, Oregon • 47°F
    Wed, Feb 12, 2020 3:43pm -08:00 #oauth #ietf #implicit
Posted in /articles using quill.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv