Hello OAuth experts, I developed a new Grant Flow based on the Implicit Grant Flow and OIDC and I would like to ask for it's review. I hope it's safe, but maybe I missed something. I'll appreciate any feedback.
The Implicit grant flow was intended for authorising clients which can't store the `client_secret` like SPA. It was considered not very safe and some Auth Services like GitHub don't even support it. OIDC added `id_token` which is a signed JWT (JWS) that contains user info. If we just need for authentication it's now possible to request the only `response_type=id_token` i.e. we aren't interested in getting the `access_token`. Anybody can verify that the token was issued by the Auth Server and it wasn't changed. We may also ask to include our own `nonce` into the `id_token` and thus we may protect from reusing the `id_token` twice. This gives us an ability to use the `id_token` for server validation. To explain the flow let's take for example a Google: 1. On UI a User press Login button 2. UI asks a server for the `nonce`, server generates it, stores and returns to UI. For example `gNNMgg`. 3. Now UI redirects a User Agent to Auth Server with the received `nonce`, a random `state` and `response_type=id_token` 4. The User authorises the Client (app) on the Auth Service and redirects back to the Client UI and an `id_token` is passed in a hash `#` part of URL. 5. The UI checks that `state` is the same as it generated on step 3. 6. The UI now has the User details but Server does not. So the UI sends the received `id_token` to a Client Server. 7. The Client Server verifies the `id_token` signature with a public JWKS of the Auth Server. 8. To avoid submitting someone else's stolen `id_token` the Client Server also verifies that its own generated `nonce` is the same as included into the `id_token`. The key advantage of the flow is that the Client Server doesn't have to perform a side channel request to the Auth Server as it needs in the Authorization Code flow. This not only improves performance but also allows to decouple Client Server from Auth Service. For example the Client Server can't connect to the Auth Service because of connectivity problems. Or if the AS is blocked in the Client Server country (e.g. Yandex and VK.com in Ukraine, Google in China, Twitter in Nigeria etc.). Another reason if the Client Server wants to hide its IP from the Auth Service e.g. this a Tor Hidden Service with .onion domain. The Client Server anyway has to periodically fetch the JWKS of the AS but this can be done by a secure channel (e.g. by the same Tor network). Now it's possible to block any outgoing connections from the Client Server that significantly improves safety. Could you please confirm that this is a correct flow and I didn't miss anything? The PoC demo https://stokito.com/auth.html Click on Login with Google The PoC sources https://github.com/yurt-page/cgi-oauth Thank you in advance, Sergey _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
