It is 2023 and I am still having to explain the dangers of the OAuth Implicit Flow because I am still finding current documentation suggesting otherwise. Time to make another video to follow up on the one from 4 years ago?

Jun 7, 2023 · 10:09 PM UTC

5
4
24
Replying to @aaronpk
To me the fallacy is- why do most people even need to know anything about it? The choice of what grant to use should be enshrined in SDKs and platforms. The details should matter to very few people, outside of troubleshooting.
4
1
6
I absolutely agree, the problem is certain platforms *ahem* still haven't fully made the switch
Replying to @aaronpk
What’s the TL;DR? Other than “don’t use implicit flow” 😅
1
That's the TLDR. The longer version is explaining the intricacies in how the implicit flow relates to OpenID Connect and all the combinations of response types and response modes
Replying to @aaronpk
It’s like parenting. Coaching people on security issues is like parenting. You gotta say the important things, over and over and over. Endlessly. Without losing patience. They forget, they get distracted, they have other things to do. Remind them often.
1
2
Sounds a lot like advertising/marketing too. I suppose that's true with everything.
Replying to @aaronpk
I would watch it anyway so yes please. 👍
Replying to @aaronpk
Absolutely. I haven’t encountered folks in my day job who want to use the Implicit Flow for a while now, but it was a common request in 2021. I’m worried that folks are *lurking in the shadows* and waiting to scare me with this topic again.
1