While taking an ASP.NET identity security course with OpenID Connect/OAuth2, I learned about the differences and pro/cons of different workflows.
Specifically, I'm confused about the purpose of the code id_token
hybrid workflow, which is just like the authorization code workflow, except that it also returns a (simplified) id_token
from the front channel.
So my first question is, if later on the full id token and access token are to be retrieved again via the back channel anyway, what is the purpose of having a watered-down id_token
returned by the first (less secure) request in the first place?
Another thing is about security: course instructor mentioned that hybrid workflow with code id_token
is considered secure even without PKCE protection for two reasons:
id_token
contains a c_hash
value that ties it to the authorization code, protecting it against authorization code leak/replay attackMy question: Since this initial id_token
is returned along side authorization code in the exact same manner, if authorization code is compromised, shouldn't we assume that the id_token
is also compromised, making this protection ineffective?
nonce
string ensures one-time use of the authorization codeMy question: Since nonce
is included as plain text in URL, if the attacker manages to post the redirection response to the client before the legit user does, along with the authorization code, the attack will be successful, right?
Given these, is it correct to say authorization code workflow with PKCE protection (plus nonce) is more secure than the code id_token
hybrid workflow without PKCE?
Thanks.
The main use case for Hybrid Flow is for web clients that require different tokens for front end and back end:
HYBRID FLOW CHARACTERISTICS
Redirect with a response type of code id_token and receive an ID token back in a query string, along with the authorization code. To prevent substitution attacks you supply a nonce value during the redirect and then verify that the same value exists in the response as an ID token claim.
SECURITY
In terms of security it is used in conjunction with PKCE. If used with care, the security is properly thought out and included in the OpenID Connect Specification. It requires more conplex code in clients though.
Also, if personal data such as names and emails are included in ID tokens, it is revealed to the browser history and server logs. This is something to look out for in ID tokens generally. It is usually better to get such fields from the User Info endpoint instead.
FINANCIAL GRADE RECOMMENDATIONS
These days, receiving all tokens on the back channel, using response_type=code
, is usually recommended. This is reflected in FAPI 2.0 which now mandates no ID token on the front channel.