[keycloak-user] Implicit or Auth code flow for Angular/SPA apps

Eric B ebenzacar at gmail.com
Tue Sep 18 11:17:53 EDT 2018


We are deploying a new Angular SPA which leverages Keycloak for its SSO
abilities using OIDC.  The app is currently designed using Implicit flow to
retrieve short-lived access tokens via the keycloak JS adapter.

However, recently, I've been seeing some emails in the ietf mailing list (
https://www.ietf.org/mail-archive/web/oauth/current/msg16969.html)
indicating that Auth code should be preferred over implicit flow due to
security issues of having access tokens show up in browser history and/or
log files (if any SSL termination/inspection is in place/etc).

I understand the security concerns with having an AT show up anywhere in a
log file.  I do not, however, understand how the Auth Code flow can be
considered as more secure, or why it should be preferred over Implicit
flow.  Isn't having the Refresh Token in the browser/SPA a higher security
risk than having a short-lived AT in a log file?

What is the preferred mechanism to use today?  Is there a recommended
approach?

Thanks,

Eric


More information about the keycloak-user mailing list