Azure-docs: IETF recommends using Auth Code + PKCE for SPAs with no backend
The IETF has recommended using Auth Code + PKCE over Implicit flow for several years for SPAs. Could you please recommend reviewing this important document to ensure current practice is employed for new applications.
This is summarised in section 4.
"However, there are several drawbacks to the implicit flow, generally involving vulnerabilities associated with the exposure of the access token in the URL. See Section 9.8 for an analysis of these attacks and the drawbacks of using the implicit flow in browsers. Additional attacks and security considerations can be found in [oauth-security-topics]."
https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-05
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: d014c45f-5c4a-2598-ae92-89f48ae6b207
- Version Independent ID: e7d95537-e03b-230a-635b-7032ff101a6b
- Content: Microsoft identity platform authentication flows & app scenarios
- Content Source: articles/active-directory/develop/authentication-flows-app-scenarios.md
- Service: active-directory
- Sub-service: develop
- GitHub Login: @jmprieur
- Microsoft Alias: jmprieur
paulspencerwilliams
All 3 comments
@paulspencerwilliams Thank you for the feedback. We are actively investigating and will get back to you soon.
KalyanChanumolu-MSFT
on 18 Mar 2020
We will be updating this documentation soon with the general availability of Auth Code + PKCE for MSAL.js coming in the next month or so
hamiltonha
on 18 Mar 2020
@paulspencerwilliams We would be closing this thread now. Let us know if you need further help on the same.
neeleshray-msft
on 24 Mar 2020
Related issues
DeepPuddles
·
3Comments
jebeld17
·
3Comments
JamesDLD
·
3Comments
paulmarshall
·
3Comments
behnam89
·
3Comments
Most helpful comment
We will be updating this documentation soon with the general availability of Auth Code + PKCE for MSAL.js coming in the next month or so