Basic - Use grant type code instead of implicit grant
I would suggest to change the Basic Client Profile to use authorization codes instead of the implicit grant. In my opinion, code has the following advantages: - It is simpler to implement for web applications. - It is better suited for mobile apps because of the support for refresh tokens. - The ability to transmit large user data chunks over a back channel instead of the front channel is beneficially for mobile web applications, which most likely run on high latency, low bandwitdh network connections. - It is more secure due to the transmission of longer-lasting secrets via back channels only.
Comments (4)
-
-
Account Deleted Agree with this. Code flow should be the "default" that we point people to.
-
-
assigned issue to
- changed status to open
Code is better for simple client as it is easier to secure, and also supports refresh token for offline access, which is usually required.
Easiest to implement in the widest audience should be the default.
Consensus on Code.
Maintain the implicit profile subject to change, e.g., deployment guide.
-
assigned issue to
-
- changed status to resolved
Done in checkin 9e14369328a6. We also created openid-connect-implicit-1_0.xml that is the equivalent profile for the implcit flow.
- Log in to comment
Issue
#560was marked as a duplicate of this issue.