Quote of the Day

more Quotes

Categories

Get notified of new posts

Buy me coffee

Tag Archives for " open redirector "

Why the implicit flow is no longer recommended for protecting a public client.

Published March 16, 2020 in OAuth2 , security - 0 Comments

In his post on The State of the Implicit Flow in OAuth2, Brook Allen mentions several reasons why OIDC/OAuth2 implicit flow is no longer a recommended approach to protect a public application and discusses using Oauth2 authorization code grant with Proof key for code exchange (PKCS) if the client and the resource server run on different domains, or simply using cookie based authentication with same-site cookie policy if the client and resource server run on a same domain. This post is my notes on what I have learned after reading Brook Allen’s post and also the related documents from Internet Engineering Task Force about the security risks of using OAuth2 implicit flow.

Continue reading