I have recently migrated an internal application (API + SPA) security from Windows Authentication (done by IIS) to Azure A/D authentication using the implicit flow.
Now, every user must enter an e-mail address, password and an authentication code (typically generated by a mobile app).
The test environments also expose Swagger documentation that relies on a displayed ClientId and scope name to authenticate (user, password and code are still required).
After being done with the changes I have discovered that OAuth 2.0 Implicit Flow is not exactly recommended for new applications, but it is not clear for me if changing the flow should be a priority for me at this point:
The important thing to remember here is that there was no new vulnerability found in the Implicit flow. If you have an existing app that uses the Implicit flow, it’s not that your app is suddenly now insecure after this new guidance has been published.
That said, it is – and always has been – extremely challenging to implement the Implicit flow securely. If you have gone to the trouble of thoroughly auditing your source code, knowing exactly which third-party libraries you’re using in your application, have a strong Content Security Policy, and are confident in your ability to build a secure JavaScript application, then your application is probably fine.
So should you immediately switch all your apps to using PKCE instead of the Implicit flow? Probably not, it depends on your risk tolerance. But at this point I would definitely not recommend creating new apps using the Implicit flow.
Source code audit was never done (just a security audit for the API endpoints), so I guess there is a potential risk when working with some third-party libraries in the SPA.
Considering that the application is an internal one (domain visible only to VPN connected users, all operations require an authenticated A/D user), should I worry about using the implicit flow or should I switch to the OAuth Authorization Code Flow asap?
