Discussion of Coding

Blog coding and discussion of coding about JavaScript, PHP, CGI, general web building etc.

Saturday, February 27, 2016

What is the purpose of the implicit grant authorization type in OAuth 2?

Author:  |   |  No comments | 

What is the purpose of the implicit grant authorization type in OAuth 2?


I don't know if I just have some kind of blind spot or what, but I've read the OAuth 2 spec many times over and perused the mailing list archives, and I have yet to find a good explanation of why the Implicit Grant flow for obtaining access tokens has been developed. Compared to the Authorization Code Grant, it seems to just give up on client authentication for no very compelling reason. How is this "optimized for clients implemented in a browser using a scripting language" (to quote the specification)?

Both flows start out the same (source: http://tools.ietf.org/html/draft-ietf-oauth-v2-22):

  1. The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint.
  2. The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request.
  3. Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier (in the request or during client registration).
    • The redirection URI includes an authorization code (Authorization code flow)
    • The redirection URI includes the access token in the URI fragment (Implicit flow)

Here's where the flows split. In both cases the redirection URI at this point is to some endpoint hosted by the client:

  • In the Authorization code flow, when the user agent hits that endpoint with the Authorization code in the URI, code at that endpoint exchanges the authorization code along with its client credentials for an access token which it can then use as needed. It could, for example, write it into a web page that a script on the page could access.
  • The Implicit flow skips this client authentication step altogether and just loads up a web page with client script. There's a cute trick here with the URL fragment that keeps the access token from being passed around too much, but the end result is essentially the same: the client-hosted site serves up a page with some script in it that can grab the access token.

Hence my question: what has been gained here by skipping the client authentication step?

Answer by Philip Peshin for What is the purpose of the implicit grant authorization type in OAuth 2?


Here are my thoughts: The purpose of auth code + token in authorization code flow is that token and client secret will never be exposed to resource owner because they travel server-to-server. On the other side, implicit grant flow is for clients that implemented entirely using javascript and running in resource owner's browser. You do not need any server side code to use this flow. Then, if everything happens in resource owner's browser it makes no sense to issue auth code & client secret anymore, because token & client secret will still be shared with resource owner. Including auth code & client secret just makes the flow more complex without adding any more real security.

So the answer on "what has been gained?" is "simplicity".

Answer by tzuchien.chiu for What is the purpose of the implicit grant authorization type in OAuth 2?


I'm not sure that I understand correctly the answer and Dan's comment. It seems to me that the answer has stated some facts correct but it does point out exactly what OP asked. If I understand correctly, the major advantage of the implicit grant flow is that a client like JS app (e.g Chrome extension) doesn't have to expose the client secret.

Dan Taflin said:

...in the authorization code flow the resource owner never needs to see the access token, whereas in javascript clients that's unavoidable. Client secret could still be kept from javascript clients using authorization code flow, however..

Perhaps I misunderstood you, but the client (JS app in this case) must pass the client credential (client key and secret) to the resource server in the authorization code flow, right ? The client secret cannot be "kept from JS".

Answer by Will for What is the purpose of the implicit grant authorization type in OAuth 2?


It boils down to: If a user is running a browser-based, or "public", (JavaScript) web app with no server side component, then the user implicitly trusts the app (and the browser where it runs, potentially with other browser-based apps...).

There is no 3rd-party remote server, only the resource server. There is no benefit to an authorization code, because there is no other agent besides the browser acting on behalf of the user. There is no benefit to client credentials for the same reason. (Any client can attempt to use this flow.)

The security implications, however, are significant. From http://tools.ietf.org/html/rfc6749#section-10.3:

When using the implicit grant type, the access token is transmitted in the URI fragment, which can expose it to unauthorized parties.

From http://tools.ietf.org/html/rfc6749#section-10.16:

A resource owner may willingly delegate access to a resource by granting an access token to an attacker's malicious client. This may be due to phishing or some other pretext...

Answer by JW. for What is the purpose of the implicit grant authorization type in OAuth 2?


The usual explanation is that the Implicit grant is easier to implement when you're using a JavaScript client. But I think this is the wrong way to look at it. If you're using a JavaScript client that requests protected resources directly via XMLHttpRequest, the Implicit grant is your only option, although it's less secure.

The Authorization Code grant provides additional security, but it only works when you have a web server requesting the protected resources. Since the web server can store the access token, you run less risk of the access token being exposed to the Internet, and you can issue a token that lasts a long time. And since the web server is trusted, it can be given a "refresh token", so it can get a new access token when the old one expires.

But -- and this is a point that's easy to miss -- the security of the Authorization code flow works only if the web server is protected with a session, which is established with user authentication (login). Without a session, an untrusted user could just make requests to the web server, using the client_id and secret, and it would be the same as if the user had the access token. Adding a session means that only an authenticated user can access the protected resources. The client_id and secret are just "identity" of the JS webapp, not authentication of said webapp.

It also means that you can end the session before the OAuth token expires. There's no standard way to invalidate an access token. But if your session expires, the access token is useless, since nobody knows it but the web server. If an untrusted user gained access to your session key, they would only be able to access the protected resources for as long as the session was valid.

If there's no web server, you have to use the Implicit grant. But this means that the access token is exposed to the Internet. If an untrusted user gains access to it, they can use it until it expires. This means they'll have access to it for longer than with an Authorization Code grant. So you may want to consider making the token expire sooner, and avoid giving access to more sensitive resources.

Answer by Artjom for What is the purpose of the implicit grant authorization type in OAuth 2?


You should consider the difference between the user agent and the client:

The user-agent is the software whereby the user ("resource owner") communicates with other parts of the system (authentication server and resource server).

The client is the software which wants to access the resources of the user on the resource server.

In the case of decoupled user-agent and client the Authorization Code Grant makes sense. E.g. the user uses a web-browser (user-agent) to login with his Facebook account on Kickstarter. In this case the client is one of the Kickstarter's servers, which handles the user logins. This server gets the access token and the refresh token from Facebook. Thus this type of client considered to be "secure", due to restricted access, the tokens can be saved and Kickstarter can access the users' resources and even refresh the access tokens without user interaction.

If the user-agent and the client are coupled (e.g. native mobile application, javascript application), the Implicite Authorization Workflow may be applied. It relies on the presence of the resource owner (for entering the credentials) and does not support refresh tokens. If this client stores the access token for later use, it will be a security issue, because the token can be easily extracted by other applications/users of the client. The absence of the refresh token is an additional hint, that this method is not designed for accessing the user resources in the absence of the user.

Answer by Hans Z. for What is the purpose of the implicit grant authorization type in OAuth 2?


in addition to the other answers it is also important to realize that the Implicit profile allows for a front-channel only flow as opposed to the Authorization Code flow that requires a call back to the Authorization Server; this becomes evident in OpenID Connect which is an SSO protocol built on top of Auth 2.0 where the Implicit flow resembles the pretty popular SAML POST binding and the Authorization Code flow resembles the less widely deployed SAML Artifact binding

Answer by Mike Schwartz for What is the purpose of the implicit grant authorization type in OAuth 2?


I think Will Cain answered this when he said " There is no benefit to client credentials for the same reason. (Any client can attempt to use this flow.)" Also consider that the redirect_uri for implicit flow maybe "localhost"--no callback is made from the Authorization Server for the implicit flow. As there is no way to pre-trust the client, the user would have to approve the release of user claims.

Answer by gakshay for What is the purpose of the implicit grant authorization type in OAuth 2?


My question is : http://tools.ietf.org/html/rfc6749#section-10.3

It says access token should be kept confidential in transit and storage. Now in case of Implicit flow:

  1. Transport layer can be made secure using TLS (HTTPS)
  2. Regarding storage. How can it be safe to store access token (say with 6 to 12 hours of expiry) in client application?


Fatal error: Call to a member function getElementsByTagName() on a non-object in D:\XAMPP INSTALLASTION\xampp\htdocs\endunpratama9i\www-stackoverflow-info-proses.php on line 72

0 comments:

Post a Comment

Popular Posts

Powered by Blogger.