Authentication does not work in ASP.NET MVC OpenIdConnect when I turn off Implicit Flow

I followed the documentation regarding how to implement Authentication Code Flow

Then I disabled all the authentication flows except Authorization Code and Refresh Token. Now I when I try login with my test user I get an error saying:
unauthorized_client : Grant type ‘implicit’ not allowed for the client.

When I enable Implicit flow of course it works, but why would I need to enable it even though the documentation says I’m doing an Authorization Code flow?

If the documentation is wrong (or misleading) how can I enable Authorization Code flow (as opposed to Implicit flow) in the given ASP.NET MVC (OWIN) example?

1 Like

Hi Reza,

What OWIN example are you using for this ? Implicit Flow runs client side (javascript apps). In an MVC application, there is a callback url running server side so it should be Authorization Code Flow as you stated. In your case, it seems the redirection to the Authorization Server is happening client side so it tries to use implicit flow.


1 Like

Thanks for your reply!

I am using this example:

This is the redirection I pasted from the browser; broken down in multiple lines to make it more readable.

I’m also expecting it to be Authorization Code Flow, but why when I turn off Implicit in the Advanced settings, it stops working and gives me the error:

Everything on your end looks right to me. Even the response type in the URL is code, which means Autorization Code Flow.

This looks more like an issue on the Auth0 side to me.


1 Like

I realize that this question was asked a while ago, but I thought I’d follow up since we just ran in to the same problem.

It looks like the ASP.NET OWIN example is a little outdated with respect to the recommended flows. I think the reason for the warning is that you are requesting both code and id_token in the response_type, which triggers the Hybrid Flow rather than the Authorization Code Flow. And as far as I can tell, the Implicit grant type must be enabled to use Hybrid Flow.

So you can either choose to enable the Implicit grant type (not recommended), or remove id_token from the response_type argument and find a way to handle the token exchange.

1 Like

Shiming in a bit late here but I came across this thread and wanted to point out that, apart from what is being mentioned by @StephanieMunck, with Katana it is important to ensure you have set a RedeemCode = true, see How implements Authorization Code Flow ? · Issue #369 · aspnet/AspNetKatana · GitHub.

I would also like to add that, I believe using Implicit Flow is a good idea, as long as you ensure you set the response type to be form_post. Doing so ensures you have no need to use a Client Secret (even though that is kept server-side, it is still better not having to use any at all), and should be perfectly fine unless you have the need to call an external API using an Access Token, in that case you probably want to resort to the Authorization Code Flow as being mentioned above.


Thanks @StephanieMunck and @frederik.prijck I will give both of these a try and post here if it worked (or not). It is pity though if the official samples that are just a few are not up to date with the latest evolutions.

Let us know if you have any other questions down the road!

I can confirm too that for ASPNET MVC/OWIN to work correctly with OIDC you need both values set in Options otherwise Auth0 considers the request as of type Implicit (even if it’s not).

Options.ResponseType = OpenIdConnectResponseType.Code;
Options.RedeemCode = true;

Thanks @Reza, @StephanieMunck and @frederik.prijck for valuable help.

1 Like

Thanks for sharing that with the rest of community!