OAuth Implicit Grant Flow: Security implications and alternative to passing access token to app in URL Fragment

Question

I've been looking through the implicit grant flow, and it looks like in some applications the access token is passed back to the app using a URL fragment (see these Okta docs: https://developer.okta.com/blog/2018/05/24/what-is-the-oauth2-implicit-grant-type#the-implicit-grant)

I'm curious about the following:

1. What are the security implications of passing the access token back to the app like this?
2. Is there any other way to safely pass the access token back to the app?

Answer 1

1. The implicit flow is susceptible to the authorization code interception attack. In particular, when registering a custom url scheme as redirect_uri, there is the risk that a malicious app registers the same custom url scheme, and uses this to intercept authorization codes.

2. Use PKCE, see for example https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce

Answer 2

The flows that return access tokens directly from the authorization endpoint are deprecated and should not be used by new applications. There are no new discovered issues with them, it's just that this was designed to solve an issue which is no longer an issue (cross site requests, CORS, has come a long way since 2010).

The OAuth 2 implicit flow, together with Password grant type is deprecated by https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-18 as well as https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-02

1. see https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926
2. use code flow, or OIDC hybrid flow, or use form_post response mode