OIDC : url differences in code flow and implicit flow

Question

I am new to OIDC. I am referring to video to use OIDC into my application.

Looking at the URL's for Code flow (Response type: Code) and Implicit flow (Response type: Id_token) I have noticed something strange, in redirect URL code is provided as a query parameter (followed by ?) but id_token is followed by #. And the same thing is happening in my application also. Why id_token also not provided as a query parameter. I have googled but did not find any answer.

code flow url:

implicit flow url:

(video ref: 39:03 , 53:35)

Answer 1

Implicit flow is deprecated and returns tokens directly to the browser. It does so on a (client side) hash fragment which web servers do not include in their log files.

This used to be the solution back when Single Page Apps were new and Authorization Servers did not support CORS.

These days Authorization Code Flow is standard and I would focus all your efforts on that. In this model an Authorization Code is returned in a query parameter but:

• It is one time use, so even if included in server logs it can not usually be exploited
• It typically also requires a client secret in order to exchange it for tokens

These days the Code Flow should also use PKCE, which can be used in conjunction with a client secret.

Answer 2

The reason why the authorization code flow uses ?code=... is because this code is intended for the server, which receives the query. On the contrary, the implicit flow uses #id_token=... because this is intended for the client. Browsers only send the URL without the fragment part after the hash to the server.

While the implicit flow regarding the (access) token has been deprecated in OAuth2.1, the implicit flow regarding the id_token has not.

That said, it is best practice to use the auth code flow over the implicit one to avoid the token to appear in URLs.