Recent searches


No recent searches

Concerns Regarding Disabling Implicit Grant Flow in Zendesk OAuth

Answered


Posted Jan 15, 2025

Dear Zendesk Team,

We would like to address the recent decision to disable the implicit grant flow for OAuth. While we understand the intent to improve security, this change does not align with our practical use case and introduces significant challenges.

 

Key Points:

  1. No Real Security Improvement:
    • The implicit flow is not inherently less secure than the authorization code flow in our controlled environment.
    • Since the access token is processed within our controller, it is still exposed to browser extensions or malicious scripts in both scenarios.
  2. Huge Disadvantage for Us and Our Customers:
    • Switching to the authorization code flow would require all our customers to update their business program that we deliver.
    • Many customers are unlikely to update just to support new Zendesk integrations for new users, especially for such a small functionality.

Our Request:

We kindly request Zendesk to reconsider disabling the implicit grant flow or provide an opt-in option for customers where this change imposes significant operational and practical challenges.

Thank you for your understanding and consideration.


0

1

1 comment

image avatar

Caroline Kello

Zendesk Product Manager

Hey Sarah, 

Thanks for the detailed feedback regarding our announcement to deprecate these flows, I appreciate you taking the time to reach out.

 

After careful consideration of the security implications and industry standards, we must maintain our decision to deprecate both the Implicit grant type and Password grant type. Here are the key points for the Implicit grant flow that guided our decision:

  • Security risks: The Implicit grant flow, while historically utilized for browser-based applications, poses significant security risks. It is more susceptible to phishing attacks  and the token has a potential of being exposed. This exposure increases the risk of token interception and replay attacks, potentially compromising user data or allowing unauthorized access.
     
  • Alignment with industry standards and best practices: The OAuth 2.0 Security Best Current Practice document recommends against using the Implicit grant flow. Instead, it advocates for the Authorization code flow with Proof Key for Code Exchange (PKCE), which provides a significantly higher level of security for authorization processes in browser-based applications. This method protects the authorization process and minimizes risks associated with token exposure. Here’s our documentation on Using PKCE to make Zendesk OAuth access tokens more secure.
     
  • Enhancing our OAuth implementation: We have already implemented support for the authorization code flow with PKCE, which enhances the security of the authorization process. Additionally, we will be adding support for the client credentials flow, further aligning our offerings with modern security standards and providing a more secure environment for all customers.

While we recognize that you trust your specific environment and have built it securely, the Implicit grant flow is nevertheless considered less secure. We believe that providing an opt-in option would still expose our customers to risks which we feel are not acceptable. While the migration to the Authorization code flow does require effort, we believe that the long-term security benefits to all our customers outweigh the initial challenge in migration.


Thank you again for taking the time to share your feedback. We appreciate you being a valuable Zendesk Community member and customer. 
 

0


Please sign in to leave a comment.

Didn't find what you're looking for?

New post