OIDC : url differences in code flow and implicit flow

Question

I am new to OIDC. I am referring to video to use OIDC into my application.

Looking at the URL's for Code flow (Response type: Code) and Implicit flow (Response type: Id_token) I have noticed something strange, in redirect URL code is provided as a query parameter (followed by ?) but id_token is followed by #. And the same thing is happening in my application also. Why id_token also not provided as a query parameter. I have googled but did not find any answer.

code flow url:

implicit flow url:

(video ref: 39:03 , 53:35)

Answer 1

Implicit flow is deprecated and returns tokens directly to the browser. It does so on a (client side) hash fragment which web servers do not include in their log files.

This used to be the solution back when Single Page Apps were new and Authorization Servers did not support CORS.

These days Authorization Code Flow is standard and I would focus all your efforts on that. In this model an Authorization Code is returned in a query parameter but:

• It is one time use, so even if included in server logs it can not usually be exploited
• It typically also requires a client secret in order to exchange it for tokens

These days the Code Flow should also use PKCE, which can be used in conjunction with a client secret.