How to avoid Perils of Implicit Grant Flow/ID Token?

Siegfried Heintze 1,861 Reputation points
2020-05-12T17:19:13.72+00:00

After fighting to get some tutorial examples from 9781484250396 working, I learned that most of the examples required that I check the ID tokens feature for Implicit grant flow.

The text on the port.azure.com on the page for registering an AAD webapp and configuring the authentication says this under "Implicit Grant":

"Allows an application to request a token directly from the authorization endpoint. Checking Access Token and ID Token only recommended if the application has a single-page architecture (SPA), has no back end components and does not use the latest version of MSAL.js with Auth Code Flow, or invokes a Web API via JavaScript. ID Token is needed for ASP.NET Core Web Apps. Learn more about the implicit grant flow".

Is this correct? It sounds wrong where it says that ID Token is needed for ASP.NET Core Web Apps! I was hoping the Microsoft Examples of WebAps for .NET Core 3 would not require me to use the ID Token. If this is correct, it sounds like the only salvation is to use the latest version of MSAL.js instead of C# for all authentication.

What about .NET Framework? Do WebApps written in .NET Framework require ID Token?

Where can I find some tutorials that don't require ID token/Implicit Grant Flow that don't authenticate with javascript?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,436 questions
0 comments
Accepted answer
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-05-21T09:28:59.633+00:00

    @SeigfriedHeintze-9929, We have never said that Auth Code Grant flow is not a secure alternative for Implicit Grant Flow. But as mentioned in my previous response until now, we only recommended implicit grant flow for SPA (javascript based applications) by implementing MSAL.

    With the advent of of MSAL v2.x now MSAL.js is capable of implemeting Auth-Code Grant flow. You can take a look at the sample present here: https://github.com/Azure-Samples/ms-identity-javascript-v2

    For web-apps or any other desktop/mobile apps Auth-Code Grant flow is always recommended. You can check the following url to check the samples available for various platforms including ASP .net core and ASP .net Frameworks: https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code#web-applications

    For PKCS (Public Key Certificate Services) is something that is a certificate which can be used in place of the app secret in the app registration. This certificate can be used for authenticating the application with an IDP. It can be used with any of the OAuth flows what needs a client secret to be produced in the request. I have not came across any samples that have used PKCS with any of the OAuth flows.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2020-05-12T22:44:00.717+00:00

    Hi @Siegfried Heintze ,

    Why do you not want to use it? Are you mainly looking for a sample app?

    From my understanding you need it if you are using OpenID connect or implicit grant flow, as you mentioned.

    https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens

    https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows

    0 comments
  2. Siegfried Heintze 1,861 Reputation points
    2020-05-12T23:27:25.41+00:00

    "Why don't you want to use it"

    I don't want to use Implicit Grant flow because it sounds like Microsoft does not recommend it for back end web apps with back ends. Is it correct that Microsoft does not recommend Implicit grant flow for webapps with back ends that authenticate with C# instead of MSAL.js?

    Well I want to create a secure web site (that has a back end) that authenticates with OAuth (and AAD) and it sounds like the only way to do is to authenticate with javascript/MSAL.js. Is this true?

    It says "checking access Token and ID Token are only recommended if app is SPA and has no back end..."
    Sounds like Microsoft is NOT recommending we authenticate web sites with back ends that authenticate with OAuth (unless we do it with javascript/MSAL.js). Is this true?

    Most web sites need back ends to be useful...

    0 comments
  3. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-05-14T15:20:19.283+00:00

    @Siegfried Heintze , Implicit flow is the only flow that we recommend for an SAP application. have no backend components or intend to invoke a web API via JavaScript, use of the implicit flow for token acquisition is recommended have no backend components or intend to invoke a web API via JavaScript, use of the implicit flow for token acquisition is recommended.

    The reason Microsoft do recommend not using Implicit Grant flow for any other type of implementations except SPA because of the following two reasons:

    Also, would like to state that, even though in case of SPA applications, Microsoft recommends Implicit grant flow, but again Microsoft doesnt encourage developers to write code to directly request the access token using REST calls from the application code, rather it recommends using the MSAL library to fetch tokens, which implements a more secured way of requesting a token.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments
  4. Siegfried Heintze 1,861 Reputation points
    2020-05-14T17:56:37.747+00:00

    Thank you Soumi.
    Just to clarify, when you say

    rather it recommends using the MSAL library to fetch tokens,

    (1) Did you mean MSAL.js?

    (2) I've been exploring the many examples and have noticed that many of them use implicit grant flow because they are SPAs with no back end.
    Can some one please point me to a tutorial example that correctly uses MSAL.js to securely call a back end?

    (3) Let's suppose I follow your recommendation and call my ASP.NET/MVC WebAPI with MSAL.js. Please confirm that it is not possible for my custom WebAPI to securely use azure features such as azure queues (protected by AAD) via REST as described in create-queue4 as this would require implicit grant flow and these features must only be called directly from the browser via MSAL.js.

    (4) I've been studying TodoListController.cs and README.md. I'm struggling to understand the difference between the insecure implicit grant flow (when coding in C# inside a webapp to access the back end) and the behalf of flow. The documentation v2-oauth2-on-behalf-of-flow uses the term service-to-service and I'm wondering why this cannot work for webapp-to-service? Can I use the behalf of flow in the C# in a webapp to securely call a back end as a secure alternative to the implicit grant flow in C#? Is there a tutorial example of this I can study?

    Thank you again!

    Siegfried

    0 comments