On 19 Nov 2018, at 10:34, Hannes Tschofenig <hannes.tschofe...@arm.com> wrote: > > Hi all, > The authors of the OAuth Security Topics draft came to the conclusion that it > is not possible to adequately secure the implicit flow against token > injection since potential solutions like token binding or JARM are in an > early stage of adoption. For this reason, and since CORS allows browser-based > apps to send requests to the token endpoint, Torsten suggested to use the > authorization code instead of the implicit grant in call cases in his > presentation > (seehttps://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessb-draft-ietf-oauth-security-topics-01). > A hum in the room at IETF#103 concluded strong support for his > recommendations. We would like to confirm the discussion on the list. > Please provide a response by December 3rd.
ForgeRock are in favour of deprecating the implicit flow in favour of the authorization code flow as suggested. In our opinion, it is more secure and more consistent to prefer the authorization code in all such cases. Kind regards, Neil Madden Security Director, ForgeRock Engineering _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
