What are the implications of the authorization endpoint issuing the access token?
My understanding is that in a standard OAuth flow, the access token is issued by the token endpoint, and the ID token is issued by the authorization endpoint.
In Azure AD, there's an option to have the access token issued by the authorization endpoint instead. Are there security (or other) issues with doing this when not using an implicit flow?
In implicit flow, access tokens are issued by the /authorize endpoint of the authorization server. So if your app is not obtaining access tokens from the /authorize endpoint, you are not leveraging the implicit flow by definition.
You shouldn't be using implicit flow with Azure AD anymore. Implicit flow is less secure for several reasons: the client application does not authenticate itself, the tokens are acquired through the front channel, response in the query parameters leaks into the browser history and etc. Implicit flow was originally meant to support native and browser apps (i.e. public client apps), since they have no means to contain a secret that could be used to prove their identity. Azure AD now supports the Proof Key for Code Exchange (PKCE) extension for the authorization code flow, which provides a workaround for public client apps to leverage the authorization code flow (which is more secure).
Hybrid flow (where your app receives the ID token from the /authorize endpoint and the access token from the /token endpoint), on the other hand, is fine -as long as your app runs on HTTPS. ID token is only meant for your own application (i.e. the app that acquires it) for the purpose of identifying the user (to update the UI and etc.), so from a security standpoint, it's not as crucial (of course, never make authorization decisions based on ID tokens).
- Where to store the refresh token on the Client?
- GitHub Clone with OAuth Access Token
- How to get refresh token for "Sign In With Google"
- How can I download a single raw file from a private github repo using the command line?
- How to properly use Bearer tokens?
- Automating access token refreshing via interceptors in axios
- How to log out of Synology SSO Server (OIDC)?
- OAuth not working inside an iframe
- BFF pattern for native apps in OAuth 2.0?
- Why is PKCE `code_verifier` calculated server-side in BFF pattern?
- Python Script Token Refresh Mechanism Problem for Spotify API
- Laravel Passport Password Grant - Client authentication failed
- Github, restricting third-party access to organizations
- UiPath CLI - github deployment to uipath cloud
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- Facebook login message: "URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings."
- Is is safe to store access token in session storage of client browser?
- Why Google native oauth2 flow require client secret?
- How to use the Requests OAuthlib with grant-type 'Client Credentials'?
- How to get a Google OAuth 2 token for API testing
- Data intent is null in Android using universal links/applinks using react-native-app-auth
- Cognito: User Pool Client OAuth Scope Limitation
- Yahoo! Fantasy API Maximum Count?
- GitLab OAuth access token validity
- Twitter request token invalid on iOS
- Implementing OAuth 1.0 in an iOS
- How to create oAuth in Instagram?
- Swift (Xcode) REST API Connection using OAuth 1
- MapMyFitness API OAuth questions
- “That Microsoft account doesn’t exist” for Microsoft logins on Auth0