Missing Implicit Grant type: The new norm in WSO2 APIM 3.2.0

Saranki Magenthirarajah
6 min readMar 30, 2021

--

[Source: https://s3.amazonaws.com/lowres.cartoonstock.com/military-jigsaw_puzzle-jigsaws-missing_pieces-lost_person-missing_persons-tzun1199_low.jpg]

The emerging application growth in the technology world has created an enormous demand for application security and user privacy. Authentication and authorization have captured a remarkable stand in the field of security. To keep the applications and user privacy protected, the security standards need to be up to date. Various security standards are being followed all around the world by different organizations and individuals.

This blog will walk you through one of the important authorization standards which have been widely used in today’s technology world along with how it has impacted the WSO2 APIM-3.2.0 product’s security model compared to its previous versions. The authorization standard to be discussed in this blog is “OAuth2.0”.

What and Why OAuth 2.0 grant types ???

[Source: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSz_sU4jogWQx0uu2vrC_rR6e0ADSBgkcIqMQ&usqp=CAU]

OAuth is a framework based on the industry-standard protocol for authorization to permit 3rd party applications to access protected data on behalf of the user. In simple terms, “A framework for delegated authorization”.

OAuth framework has 3 versions as of now. They are,

  1. OAuth Core 1.0
  2. OAuth Core 1.0a (OAuth Core 1.0 Revision A)
  3. OAuth 2.0

OAuth 2.0 provides various authorization flows for different scenarios considering the devices, entities, and the purpose involved in such scenarios. These different types of flows are known as the “OAuth Grant Types”. There are multiple such grant types and below is a brief on them

  • Authorization Code Grant Type is used with server-side web applications.
  • Implicit Grant Type is used with client-side (single page web applications, mobile applications) applications.
  • Resource Owner Password Credential Grant Type is used with trusted applications. Mostly with those applications that have both mobile and web versions of it.
  • Client Credential Grant Type is used by clients to access resources about its own services rather than to access a user’s resources. There aren’t any explicit resource owners available for this grant type.

Out of the above-mentioned grant types, we will be focusing on the “Implicit Grant Type” throughout this blog.

Implicit Grant Type: A quick tour

[Source: https://docs.wso2.com/download/attachments/92523218/OAuth%20grant%20types%20-%20Implicit.png?version=1&modificationDate=1515735103000&api=v2]

The “Implicit Grant Type” is a way for single-page JavaScript applications to get an access token without any intermediate code exchange step as we have in authorization code grant type. The flow-on how the access token is generated through “Implicit Grant Type” is illustrated in the above image.

The bond between WSO2 APIM and Implicit Grant Type

[Source: https://penandpastel.files.wordpress.com/2018/04/b32e1b23bc53c36541ccdef8831e87b2_mr-bean-cartoon-clipart-clipartxtras-mr-bean-cartoon-clipart_300-300.png?w=300]

Throughout the WSO2 APIM history the “Implicit Grant Type” has been a part of the authorization flow. In wso2am-2.X.X, wso2am0–3.0.0, and even in wso2am-3.1.0 we can still see that the “Implicit Grant Type” is available to authorize the user.

  • wso2am-2.X.X
[Source: https://docs.wso2.com/download/attachments/97564572/implicit-grant.png?version=1&modificationDate=1527160507000&api=v2]
  • wso2am-3.0.0 and wso2am-3.1.0
[Source: https://apim.docs.wso2.com/en/3.1.0/assets/img/learn/implicit-grant.png]

From wso2am-3.2.0 onwards the “Implicit Grant Type” has been deprecated and will be completely removed from future releases as well.

Why not Implicit Grant Type?

[Source: https://lowres.cartooncollections.com/cats-pet_cats-cat_owners-cat_lovers-lost_cats-animals-CC134963_low.jpg]

“The measure of intelligence is the ability to change.”― Albert Einstein

In general, to protect the applications from security hazards the security standards, tools and frameworks need to be updated in a way that they address and mitigate the existing security hazards. Similarly, OAuth 2.0 also identified that the “Implicit Grant Type” might not be a suitable security mechanism to protect the user authorization flow due to the following reasons.

  • Implicit grant type directly returns the access token in its authorization response. This is vulnerable and leads to access leakage.
  • No viable mechanism exists to cryptographically bind access tokens issued in the authorization response to a certain client which leads to easy detection of the access token.
  • No refresh tokens are returned.
  • Implicit grant has been used more or less like a compromise for Authorization code grant since in early days the JS in browsers accepted to make requests only to the same browsers. Later, with the aid of CORS, this issue got sorted.

Since WSO2 APIM is also following OAuth 2.0 standards it has deprecated the “Implicit Grant Type” from wso2am-3.2.0 onwards.

Get the Implicit Grant Type in WSO2 APIM 320

[Source: https://s3.amazonaws.com/lowres.cartoonstock.com/social-issues-lost_and_found-lost-losing-losers-finding-rde8842_low.jpg]

By default, in wso2am-3.2.0 the “Implicit Grant Type” is not available in the devportal.

Fig 1: No implicit grant type in the devportal

As an alternative, you can get the “Implicit Grant Type” for the application in the carbon management console. But this is only available if you generate the client key and secret for the application. You can check it by following the below-mentioned steps.

  1. Generate the client key and secret for the application
  2. Navigate to carbon management console via https://<hostname>:<port>/carbon url
  3. Navigate to Main → Identity → Service Providers →List and click the “edit” button of the desired application for which you have generated the client key and secret
Fig 2: Select the Service Provider of the application

4. Expand Inbound Authentication Configuration → OAuth/OpenID Connect Configuration → Edit

Fig 3: Expand the “OAuth/OpenID Connect Configuration” and click on “Edit”

5. You can see that the “implicit” grant type is available by default, in the carbon management console

Fig 4: Implicit grant type in the carbon management console

Get the Implicit Grant Type in WSO2 APIM 320 Devportal

This part of the blog will walk you through the steps on how to get the implicit grant type option in the devportal upon which you can generate the access token. You can enable the implicit grant type via the admin portal. The detailed steps are displayed below.

  1. Navigate to the admin portal via https://<hostname>:<port>/admin url

2. On the left menu panel click on “Key Managers

Fig 5: Click on “Key Managers”

3. Click on “Resident Key Manager

Fig 6: Click on “Resident Key Manager”

4. Under “Grand Types” add implicit and press enter

Fig 7: Add “implicit” and press enter

5. Click on “Update

Fig 8: Click on “Update”

6. Navigate to devportal via https://<hostname>:<port>/devportal url

7. Open an application and navigate to “Production Keys” or “Sandbox Keys”

Fig 9: Click on either “Production Keys” or “Sandbox Keys”

8. Now you can see the implicit grant type checkbox

Fig 10: Implicit grant type is visible now

Due to the already discussed security concerns, WSO2 has not displayed the implicit grant type checkbox in the devportal in wso2am-3.2.0. This is purely to discourage the customers from using a vulnerable authorization grant type. Even though you have the luxury to enable the “Implicit Grant Type” in wso2am-3.2.0, it is highly recommended not to use it, and as OAuth 2.0 recommends try to use “Authorization Code Grant Type”.

In a nutshell!

Hey Folk, in this blog we have seen the basic concepts of OAuth and the grant types along with how “Implicit Grant Type” has been serving in WSO2 APIM. Next, we also checked the reasons why OAuth 2.0 removed deprecated/discourage its users to use “Implicit Grant Type”. In the final section, we learned how to enable the “Implicit Grant Type” in wso2am-3.2.0. Please remember that even though you can enable the “Implicit Grant Type” it is highly recommended not to use it.

I hope that this will be a useful read especially for those who are searching for the implicit grant type in wso2am-3.2.0.

Happy Learning and Stay Safe!!!

[Source: https://miro.medium.com/max/960/1*NvU2VdMSYkjuGuLcmxw0LA.gif]

References

[1] https://apim.docs.wso2.com/en/latest/learn/api-security/oauth2/grant-types/implicit-grant/

[2] https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-2.1.2

[3] https://fusionauth.io/blog/2020/04/15/whats-new-in-oauth-2-1/

[4] https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead

--

--