Recent searches
No recent searches
Concerns Regarding Disabling Implicit Grant Flow in Zendesk OAuth
Answered
Posted Jan 15, 2025
Dear Zendesk Team,
We would like to address the recent decision to disable the implicit grant flow for OAuth. While we understand the intent to improve security, this change does not align with our practical use case and introduces significant challenges.
Key Points:
-
No Real Security Improvement:
- The implicit flow is not inherently less secure than the authorization code flow in our controlled environment.
- Since the access token is processed within our controller, it is still exposed to browser extensions or malicious scripts in both scenarios.
-
Huge Disadvantage for Us and Our Customers:
- Switching to the authorization code flow would require all our customers to update their business program that we deliver.
- Many customers are unlikely to update just to support new Zendesk integrations for new users, especially for such a small functionality.
Our Request:
We kindly request Zendesk to reconsider disabling the implicit grant flow or provide an opt-in option for customers where this change imposes significant operational and practical challenges.
Thank you for your understanding and consideration.
0
1
1 comment
Caroline Kello
Hey Sarah,
Thanks for the detailed feedback regarding our announcement to deprecate these flows, I appreciate you taking the time to reach out.
After careful consideration of the security implications and industry standards, we must maintain our decision to deprecate both the Implicit grant type and Password grant type. Here are the key points for the Implicit grant flow that guided our decision:
While we recognize that you trust your specific environment and have built it securely, the Implicit grant flow is nevertheless considered less secure. We believe that providing an opt-in option would still expose our customers to risks which we feel are not acceptable. While the migration to the Authorization code flow does require effort, we believe that the long-term security benefits to all our customers outweigh the initial challenge in migration.
Thank you again for taking the time to share your feedback. We appreciate you being a valuable Zendesk Community member and customer.
0