Reputation: 24123
Identity Server 3 implicit grant with mvc application
According to openid spec: Implicit grant is suitable javascript and mobile applications and it is less secure compare with authorization code grant. In other words; as far as i understand, it is not recomended for server based application(like aspnet mvc).
The Implicit Flow is mainly used by Clients implemented in a browser using a scripting language
But, i have seen some examples using implicit grant with mvc application(for example: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/MVC%20Authentication/EmbeddedMvc). So i am confused.
Is it correct(secure) using implicit grant with mvc application especially sso purpose?
If not; is there an owin middleware for mvc client application to handle authorization code flow?
Upvotes: 1
Views: 593
Answers (1)
Reputation: 7435
It depends. If all you're doing is authentication then implicit is fine. If you're also obtaining access tokens then implicit exposes those to the browser and user. So if you plan to use that access token in your JS, then no worries -- the API is already designed to be accessed from the browser directly. But if you prefer that your API is not accessible from the browser, then hybrid flow will prevent the access token from being made visible to the browser, JS, and user.
Upvotes: 1
Related Questions
- OWIN middleware for OpenID Connect - Code flow ( Flow type - AuthorizationCode) documentation?
- IdentityServer Flows
- OpenID Connect lightweight library
- loginInfo always null when logging in via UseOpenIdConnectAuthentication
- Implicit flow & identity Server 3: Is it possible to grant a JavaScript client an access token without having the user log in?
- identityserver3 & MVC (web socket) & "websocket server" architecture
- IdentityServer3 integration with Ping Identity. Is it possible?
- OIDC Liberty 8.5.5.8 - NPE in OAuth20InternalException.getEncodedTraceArg
- Transformation of token received from OpenID server