Our thoughts on implicit grant with Microsoft identity
First, it’s important to understand this emerging recommendation is not a result of any newly discovered vulnerability in the way users are being authenticated in SPA. Instead, this is an evolution of the best practices as new technologies become available to web browsers, mobile devices, and identity systems. Large collaborative efforts such as OAuth2 means guidance evolves in public so that as an industry we can move towards better interoperability and security across our platforms. Sometimes these best practices turn out to be impractical when implemented in the real world, and sometimes the industry floats new proposals that are adopted industry wide before standards are updated.
The implicit grant is not perfect, and we are working collaboratively with both the OAuth2 working group and browser vendors on a few concerns that have evolved since the OAuth standard was ratified. These include credentials being stored in browser history and new restrictions on the usage of cookies by some vendors. However, we do not recommend any changes to SPA implementations at this time.
As always, feel free to reach out to us on our Twitter account, GitHub repository, or Stack Overflow.
-The Microsoft identity platform team