Re: [OAUTH-WG] Confusion on Implicit Grant flow

"Reddick, Anwar" <> Mon, 09 February 2015 22:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E90C41A8A25 for <>; Mon, 9 Feb 2015 14:42:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ss97FC8-BiZ1 for <>; Mon, 9 Feb 2015 14:42:15 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 4BED31A8A1D for <>; Mon, 9 Feb 2015 14:42:14 -0800 (PST)
X-ASG-Debug-ID: 1423521729-0768e41c96482000001-2rbJmR
Received: from ( []) by with ESMTP id mLvovngso9GFRQIi; Mon, 09 Feb 2015 14:42:09 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.995.29; Mon, 9 Feb 2015 17:42:09 -0500
Received: from ([fe80::3826:8bd1:e211:9431]) by ([fe80::3826:8bd1:e211:9431%18]) with mapi id 15.00.0995.028; Mon, 9 Feb 2015 17:42:09 -0500
From: "Reddick, Anwar" <>
To: Bill Burke <>, John Bradley <>
Thread-Topic: [OAUTH-WG] Confusion on Implicit Grant flow
X-ASG-Orig-Subj: Re: [OAUTH-WG] Confusion on Implicit Grant flow
Date: Mon, 09 Feb 2015 22:42:08 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_e293564ad29d42bfab7e521afbd20a83APATLISDMAIL02coregtrio_"
MIME-Version: 1.0
X-Barracuda-Start-Time: 1423521729
X-Virus-Scanned: by bsmtpd at
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=1000.0 tests=HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] Confusion on Implicit Grant flow
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Feb 2015 22:42:18 -0000

Hi Bill,

I'm not sure if I have permission to post to the OAuth list. Anyway, if your page that does the OAuth processing includes third party scripts, then those scripts will probably have access to the code, client secret, and access token. I believe this concern is addressed in the security section of RFC 6749.

E. Anwar Reddick
Research Scientist
Georgia Tech Research Institute

----- Reply message -----
From: "Bill Burke" <>
To: "John Bradley" <>
Cc: "" <>
Subject: [OAUTH-WG] Confusion on Implicit Grant flow
Date: Mon, Feb 9, 2015 5:33 PM

On 2/9/2015 5:03 PM, John Bradley wrote:
> OK, I don't know if the WG has discussed the issue of fragments in browser history.
> So you are trading off several round trips against the possibility of a token leaking in browser history or bookmark?

Yes, bookmarking tokens is a little scary, IMO, as we've already run
into users bookmarking URLs with codes in them.

Also, wasn't there additional security vulnerabilities surrounding
implicit flow?  Maybe these were just the product of incorrect
implementations, I don't remember, it was a while ago.

> One extension that Connect introduced was a "code id_token" response type that is fragment encoded.  That would let you pass the code directly to the JS saving two legs.

It looks like OIDC added a "response_mode" parameter where you can
specify "query" or "fragment".  Thanks for pointing this out!

Thanks for all the help.

Bill Burke
JBoss, a division of Red Hat

OAuth mailing list