How is OAuth 2.0 "Implicit Flow" better than "Resource Owner Password"?

Question

I am just getting started with IdentityServer4 and working my way through different tutorials and articles.

I understand that there are different flows for different architectures. I build mostly Single Page Apps (with Angular). As far as I've understood it I have basically two options to authenticate and then authorize:

• Implicit Flow
• Resource Owner Password (just calling the token endpoint)

Everywhere I look, it is stated that Implicit flow would be better (in one regard or the other).

Why is that?

I would be the product owner of both the API and the SPA.

Answer 1

Besides the good points Ján has made, it is worth noting that you won't get SSO if you use Resource Owner Password flow. If you use implicit flow the Identity Server can store the user like any website can, whereas with Resource Owner Password you cannot see if the user has previously authenticated for another service with the Identity Server.

Answer 2

There are at several reasons for the Implicit flow being better than the Resource Owner Password:

1. The /token endpoint should require a client secret and single page applications (SPA) have no way of keeping their secrets safe.
2. Users usually have more trust in the OAuth2 server than applications using it. When using the Resource Owner Password flow, your application reads the username and password, so users may be reluctant to enter it.
3. Your application may have security issues that will expose the passwords to attackers - unnecessary risk.
4. With Resource Owner Password flow, it's hard to implement multiple different authentication methods. Using the Implicit flow, you get it for free.

Maybe someone else will add other reasons that didn't come to my mind.