...
This flow does no expose the identity token directly to the front-channel. The only thing exposed to the front-channel is the authorization code. As this is vulnerable to something called authorization code interception, its best-practice to also use PKCE (Proof Key Exchange), which you can simply activate in the client configuration in the CoreOne Suite Admin UI.
| Info |
|---|
PKCE will be mandatory with OAuth 2.1, so it’s a good practice to already use it wherever you can. |
...
With the implicit flow, you are sending the identity tokendirectly to the front-channel (the web-browser, Android App,…). That means that the front-channel is in possession of the identity token. For some applications, mostly web-applications, this is convenient as all the data from the token is directly accessible within the browser. But with convenience comes danger, as the identity token is present in the browser. To minimize the risk, the CoreOne Suite Authentication Service Services requires a nonce by default. But this must be checked by the client library as well.
...
If you select the delegation flow, the CoreOne Suite will allow the API Gateway to get a token for the microservice on behalf of the user by sending it’s original token - issued for the API Gateway - to the CoreOne Authentication Server Services in return for an access token for the micro service.
...