All geek questions in one place

What is the advantage of OAuth2 implicit grant authorization grant

What is the advantage of OAuth2 implicit grant grant?

In particular, I wonder why an implicit grant is recommended for public clients, but authorization code authorization is not. They seem so similar that the difference is not significant.

+4
source share
2 answers

Compare the client’s action in both cases, bearing in mind that the client is a piece of software that you have to write yourself.

In the case of an Authorization code grant client, these steps are defined in the specification:

  • The client requests an access token from the token of the endpoint authorization server, including the authorization code obtained in the previous step. when making a request, the client authenticates to the authorization server. the client includes a redirect URI used to obtain the authorization code for verification.
  • The authorization server authenticates the client, checks the authorization code, and ensures that the received redirect URI matches the URI used to redirect the client in step (C). If it is valid, the authorization server responds with a reverse access token and, optionally, an update token.

In the case of Implicit Grant it should do:

  • Get access token.

Now the answer is more or less trivial: the amount of code in the first approach is unknown, but can be significant against the almost negligible for the second approach.

+1
source

The advantages of the authorization code step are as follows (from OAuth 2.0 spec 1.3.1 ):

The authorization code provides several important security benefits, such as the ability to authenticate the client, as well as the transfer of the access token directly to the client, without passing it through the user agent of the resource owner, potentially exposing it to others, including the resource owner.

Usually, if your client is the server side (web application), you should use authorization permission. If this is a JavaScript-based application (client side) - implied. For mobile applications, the preferred type of authorization code is preferable if you use an external browser (not built-in).

Client secrets are only suitable for server-side applications, since the client side of the secret must be built into the software - and thus, only the secret for so long (it may be the opposite of engineering).

+12
source

Source: https://habr.com/ru/post/1397601/

More articles:


All Articles