Which OpenID flow should I choose?

Question

I have simple REST API, based on Asp.Net Core technology.

Now, I want to add OpenID for this API.

API would be used from mobile applications, single page applications and possibly other API services (not necessary).

It seems that I need Authorization flow, or Implicit, or even Hybrid, but as far as I understand, that when you use them, user needs explicitly set agreement with flows rights requirements. That's not what I want, flow must be invisible for user.

So, what flow should I choose?

Answer 1

Your API will not (normally) know or care what flow was used to obtain an access token, different client applications may use different flows.

Authorization flow and Hybrid flow are only suitable for confidential clients, i.e. ones that can keep a client secret. Single page apps and mobile applications cannot keep a client secret as the code is distributed to end users (e.g. in the .js files downloaded by your SPA). Therefore you should use Implicit flow in both cases.

Update: Implicit flow is dead, using code flow with PKCE for public clients is now recommended see:

• https://christianlydemann.com/implicit-flow-vs-code-flow-with-pkce/
• https://brockallen.com/2019/01/03/the-state-of-the-implicit-flow-in-oauth2/