From the course: Web Security: OAuth and OpenID Connect (2019)
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
When should I use this?
From the course: Web Security: OAuth and OpenID Connect (2019)
When should I use this?
- [Instructor] With the creation of Auth Code plus PKCE, it's valid to ask, should we use the Implicit grant type at all. In short, yes, but very rarely at best. First, while Implicit is deprecated, it's not because it's impossible to secure or that it's fundamentally insecure, it's because it's hard to secure. The big problem relates to the access token being sent to the application via a URL parameter, or a GET. In more recent times, JavaScript frameworks can accept inbound POST messages from the authorization server, so even that's been mitigated. The more common problem is that Windows created 10 years ago, cross-origin resource sharing, or CORS, was inconsistent at best. That limitation eliminated the Authorization Code Flow because we couldn't make a POST back to our authorization server. Luckily, that's long addressed by widespread CORS adoption. So, you should default to Auth Code with PKCE whenever possible.…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.