oAuth2 Grant Types -

Steven Cinquegrana

I've just been reading through the latest oAuth2 doco (yes, I was really bored) and two questions emerged:

1. oAuth has deprecated Implicit flow/grant type stating in its Current Best Practice paper that it “recommends against using the Implicit flow entirely”. (Amazon cease support in April, 2021.) Will Blackbaud similarly be retiring Implicit flow and if so, what is the timeline?
2. Of the recommended flows, the Device Code grant type is recommended for “browserless or input-constrained" devices and apps. Does Blackbaud have any plans to introduce support for Device flow and if so, is there a timeline for implementation?

This is likely a question for @Ben Lambert.

Thank you.

Steve Cinquegrana | CEO and Principal Developer | Protégé Solutions

Daniel Leonard

@Steven Cinquegrana Thanks for the question. I will answer what I can. @Ben Wong Can you speak more to the timeline?

We are currently in the process of implementing the PKCE grant type and will be working toward the deprecation of implicit flow after that. There are currently no plans to implement device code grant type.

Steven Cinquegrana

@Daniel Leonard Thanks for the quick reply.

Re: Auth Code + PKCE, that's what I'd expect given the recommendations. It's a pity about Device Code flow because it's also a good/easier option for native apps such as desktop and service apps.

Ben Wong

@Daniel Leonard @Steven Cinquegrana exact dates are TBD but we're definitely aiming for Q1 to have PKCE available and will provide a timeline for when implicit flow will be deprecated.

Daniel Leonard

@Steven Cinquegrana Authorization Code flow with Proof Key for Code Exchange (PKCE) is now generally available. Implicit flow will be deprecated for new apps at the end of Q1 2023. We plan to drop support for Implicit flow for all apps by the end of Q2 2023.