Best practices

Knowing the possibilities of a product and the protocols its support is one thing. Understanding the best way to use it is a different story.

Why not to use the implicit flow?

The implicit flow originates from the time where browsers did not support Cross-Origin Resource Sharing (CORS). The implicit flow was therefore the designated method to use for single-page applications.

However it is less secure because it potentially leaks the access token, for example to the browser's history. And beceause no refresh tokens are emitted, long lived access tokens were often used.

Instead of the implicit flow the authorization code grant is recommened. But unlike the tranditional variant, one that does not require a secret for exchanging the authorization code for an access token.

What to use for mobile apps

For mobile apps, you likely want to use PKCE. PKCE ensures the issueing of an access token to the relying party, even if this application is not served over https, like mobile apps.

In case a mobile application is linked to an https domain it is safe to use the public authorization code grant flow, like you would use for single-page applications.

When to choose SAML?

In general, OpenID Connect is preferred over SAML for newly developed applications.

While before the introduction of OpenID Connect SAML was the protocol to use for authentication, OpenID Connect is the better alternative.

How to use OAuth without navigating the user away to a (remote) identity provider? has implemented OAuth 2.0 Web Message Response Mode.

This specification allows showing an overlay with a login box on your web service. A user stays within the context of the application he is using, but can still make use of secure single-sign on capabilities.

Preventing identity silos


How to ensure single logout


When not to use JSON Web Tokens (JWT)


Where to enforce access rights?


Authentication methods and preventing phishing attempts


Can I use JWTs without OAuth?

Yes, you can use JSON Web Tokens (JWT) without OAuth. However, this requires inventing your own token issueing protocol.

A central concept within OAuth is the issuing of access tokens. Access tokens could be opaque, but just as well in JWT format. Without using OAuth, you should think of another secure way to issue a JWT to a client system.