Authorization Code Grant vs Implicit Grant

david.casillas · February 23, 2018, 10:17pm

Currently we hava a SPA backed by PHP API. The authorization runs in the backend (no Client Id or Secret are exposed to the browser), so we are using a pseudo Authorization code grant.

We are planning to update the workflow with 4 main objectives:

Switch to be OIDC conformant
Remove deprecated methods
Adopt Lock login form (currently using custom login form)
Better align with Auth0 patterns

The very first big question is if we should adopt Authorization Code Grant or Implicit Code Grant. Being a SPA seems that the second will be most suitable, but since we already have
authentication implemented in the server we could take also the first, letting the server lead the process.

Is there any major advantage / drawback chosing any of these two aproaches?

Right now we only support username/password and ADFS connections, but we surely will include others in the future.

One requirement:
We do not allow users to register. Any user login into the application must first be registerd by an admin. Since we find no way to prevent ADFS users to login, we have to implement a local database of registered users. Before any login attempt, the server checks if the user is in the database to continue to authentication in Auth0. This was what make us choose a custom login form and being able to remove it is another bonus.

How can the Hosted Login Form (Lock) prevent an ADFS user to login into the application if it is not first registered by an admin?

ricardo.batista · February 24, 2018, 12:19am

When making the authorization request directly from a SPA, you should use the implicit grant. However, if it is done from the backend (such as a web app), you should use an authorization code grant. You can see more information about which oauth flow to use here: https://auth0.com/docs/api-auth/which-oauth-flow-to-use

Depending on your use case, the authorization code grant provides an extra layer of security, since it needs to exchange the code for the tokens, while the implicit grant provides the tokens right away after a successful authentication.

Regarding your last point, you can prevent users from signing up by using the allowSignUp configuration option from Lock, which is also available in the hosted login page.

david.casillas · February 24, 2018, 5:44pm

Thanks for your answer. So it seems that if I can support it, Authorization Code Grant is better than Implicit Grant from a security point of view.

Regarding the second point, unfortunately there is no way to prevent ADFS users to signup. Auth0 just registers an ADFS user in the background the first time he tries to login and Auth0 gets a succesful response from the ADFS server, so even preventing then to signup in login form is not an option.

Regarding the “Disable signups” option, in the connection settings for ADFS there is no such an option, as there is in other types of connections like database or passwordless.

david.casillas · February 26, 2018, 5:02pm

Seems this topic has branched I have created a new topic to adress the ADFS subject.

http://community.auth0.com/questions/15164/prevent-adfs-users-login-if-they-are-not-registere