Implicit grant flow is not secure

[apichick]

This is the implicit grant flow:

1.- Authorization Request:

https://$org-$env.$api_domain/oauth/authorize?response_type=token&client_id=$consumerkey&redirect_uri=$callback&scope=READ&state=foobar

2.- The API Provider Login Page Redirection URI:

https://$org-$env.$api_domain/oauth/samplelogingpage?client_id={request.queryparam.client_id}&response_type={request.queryparam.response_type}&scope={request.queryparam.scope}

3.- On successful authentication, login application invokes this url and it returns the AccessToken to the App

https://$org-$env.$api_domain/oauth/token?client_id=$consumerkey&response_type=code&app_enduser={userId}

In my opinion this is insecure, anybody knowing the app_enduser and the client_id could call the token endpoint and get a bearer token, without the user having authenticated at all in the login page, because the token endpoint is not protected at all.

Imagine the scenario where we would be saving that app_enduser as custom attribute linked to the bearer token and then we have some other endpoint where we verify the access token and fetch that app_enduser from the token and pass it over to a target endpoint. Any malicious user could be actually impersonating the actual app end user.

[peraxel]

I totally agree. This is not ready for implementation..