Professional Documents
Culture Documents
When To Use Which (OAuth2) Grants and (OIDC) Flows
When To Use Which (OAuth2) Grants and (OIDC) Flows
Update: This is by far my most popular post. I’ve continued to update this
article based on feedback and things that I have noticed. I’m trying to keep
it relevant.Please leave feedback in the comments section.
If you have been following my SAML2 vs JWT series lately, you are no
doubt familiar with the OAuth2 and OpenID Connect (OIDC)
speci cations . The OAuth2 speci cation de nes several authorization
grants that can be used to coordinate authentication of a user and grant
access to resources owned by that user. Of course, in the earlier OAuth2
post, we discussed how OAuth2 is an authorization protocol that
doesn’t de ne the speci cs of how the authentication occurs, but any
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 1/14
2/13/2019 When To Use Which (OAuth2) Grants and (OIDC) Flows – Robert Broeckelmann – Medium
• Implicit Grant
• Implicit Flow
• Hybrid Flow
So, in this blog post, we are going to explore exactly when each of these
should be used — including some instances of where these could be
used, but maybe cause more problems then they solve. I covered some
of this information in my earlier posts, but that wasn’t the primary
focus and the discussion is incomplete.
Another note, worth mentioning, before diving into the details is that
most Identity Providers (OAuth2 Authorization Servers and OIDC
OpenID Providers) now o er libraries and SDKs that allow this
functionality to be used without being aware of all the low-level details.
Regardless of whether such a library is available for your IdP, the
supported features of your IdP will dictate more than anything else
what OAuth2 and OIDC features are used — choose wisely with an
understanding of your expected use cases.
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 2/14
2/13/2019 When To Use Which (OAuth2) Grants and (OIDC) Flows – Robert Broeckelmann – Medium
Anytime you have a system that isn’t concerned with the end user
identity (and just needs to authenticate the system), use the OAuth2
Client Credential Grant.
From a purely technical point of view, most of the OAuth2 grants and
OIDC ows that support end user authentication can be made to work
in just about any scenario, but there tend to be profound security (or
lack thereof) implications to being creative in this fashion.
OAuth2 Spec
The OAuth2 spec (Section 2.1) describes three types of clients:
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 3/14
2/13/2019 When To Use Which (OAuth2) Grants and (OIDC) Flows – Robert Broeckelmann – Medium
Things to Consider:
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 4/14
2/13/2019 When To Use Which (OAuth2) Grants and (OIDC) Flows – Robert Broeckelmann – Medium
So, the Authorization Code Grant works great for the traditional Web
Application architecture that has a dedicated server-side component. It
can also work in most situations where there is a secure, server-side
component that can act in the role of the Client.
With modern SPA apps, native mobile apps, and others this may not be
the case — the server-side component may be a shared API Gateway for
example that isn’t really meant to ll this role and may not be under
your direct control (ergo, you don’t want it to know the client secret for
your application). Thus, these are categorized as Public Clients. It’s also
interesting to note that the “Client” terminology is used to describe the
component closest to the end user in these scenarios, not the server-
side component — as is the case with the “default” Authorization Code
Grant example.
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 5/14
2/13/2019 When To Use Which (OAuth2) Grants and (OIDC) Flows – Robert Broeckelmann – Medium
The OAuth2 speci cation does allow for a Public Client to use the
Authorization Code Grant. Though, something is lost in terms of the
level of security assurance when you are no longer authenticating the
client (via client identi er and client secret). With this ability, it is
possible to use the Authorization Code Grant with SPA apps and native
mobile apps. Though, potential attack vectors are introduced without
the client secret in play; to mitigate this issues, consider using the
OAuth2 Proof Key for Code Exchange Spec that allows dynamic client
secrets to be generated, which allows the Authorization Server to bind
the authorization code exchange request to the original authorization
code request.
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 6/14
2/13/2019 When To Use Which (OAuth2) Grants and (OIDC) Flows – Robert Broeckelmann – Medium
The Implicit Grant has the bene t of requiring only a single call to the
IdP; however, it opens up security concerns that are not present in the
other grants — namely, the user agent can now see the access token.
This grant also lacks the ability to authenticate the the client, which the
other grants can do — further introducing attack vectors that the
authorization grants, which require a client secret, do not experience.
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 7/14
2/13/2019 When To Use Which (OAuth2) Grants and (OIDC) Flows – Robert Broeckelmann – Medium
Like the Implicit Grant, this grant also has the bene t of only making a
single call to the authorization server. It allows an application that is
incapable of integrating with an interactive login (such as you get with
the Implicit Grant and Authorization Grant). This gives the
authorization server a great deal of exibility in terms of the types of
clients that can interact with it, but it also provides a mechanism for
bypassing a standardized login work ow mechanism that can enforce
things like two-factor authentication, forced password resets, and
similar desirable identity features. From the perspective of a
centralized identity stack, bypassing these features is
counterproductive and undesirable; even if identity and access
management functions are not centralized, this is still generally
undesirable in the enterprise.
Used By: any client that has access to the end user’s credentials,
handles its own login work ow, and (because either you do not care or
have no choice) is allowed to perform these tasks.
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 8/14
2/13/2019 When To Use Which (OAuth2) Grants and (OIDC) Flows – Robert Broeckelmann – Medium
Additional Uses: Some sources recommend using this grant with your
own native apps (rather than the authorization code grant with public
client) since full access and control over the source code is ensured. In
larger organizations, this may not be a viable assumption. Personally, I
would use the authorization code grant with public client as described
earlier in this article.
This grant can also be used in place of the Client Credential Grant in
situations where a service account is used to represent the system or
calling application. A larger strategy surrounding how applications will
be represented within the identity stack is recommended before going
down this path. Most modern identity providers (those that support
OAuth2 and OIDC) will have functionality to represent an application
similar to how traditional identity providers can represent a user.
This grant is di erent from the other three de ned by the OAuth2 spec
in that it provides for authenticating the application (or system) only,
not an end user.
Refresh tokens should not be used with this grant, but the OAuth2 spec
does not explicitly forbid the use (it states ‘a refresh token “should not”
be included’). Some Identity Provider implementations return a refresh
token with a Client Credentials Grant call to the Token Endpoint. You
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 9/14
2/13/2019 When To Use Which (OAuth2) Grants and (OIDC) Flows – Robert Broeckelmann – Medium
Used By: Anything that can keep the client secret con dential, has no
need for end user authentication, and needs to access a third-party
resource.
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 10/14
2/13/2019 When To Use Which (OAuth2) Grants and (OIDC) Flows – Robert Broeckelmann – Medium
Used By: All commentary made above regarding the OAuth2 Implicit
Grant applies here. In addition, there is a choice of whether or not an
access token is requested to access a backend resource (response_type
of “id_token” or “id_token token). If your requirements include
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 11/14
2/13/2019 When To Use Which (OAuth2) Grants and (OIDC) Flows – Robert Broeckelmann – Medium
• needs a separate token for the front end and back end
Additional thoughts:
• Whenever possible, use OIDC instead of pure OAuth2.
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 12/14
2/13/2019 When To Use Which (OAuth2) Grants and (OIDC) Flows – Robert Broeckelmann – Medium
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 13/14