---
title: "Identity, Unlocked...Explained | Episode 4"
description: "Daniel Fett joins the podcast today to talk about the security BCP document."
authors:
  - name: "Vittorio Bertocci"
    url: "https://auth0.com/blog/authors/vittorio-bertocci/"
date: "Oct 26, 2020"
category: "Developers,Campaigns,Identity Unlocked"
tags: ["identity-unlocked", "podcast", "auth0", "bcp"]
url: "https://auth0.com/blog/identity-unlocked-explained-episode-4/"
---

# Identity, Unlocked...Explained | Episode 4



## The Overview

On the fourth episode of _Identity, Unlocked_, host Vittorio Bertocci, principal architect at [Auth0](https://auth0.com/), is joined by Daniel Fett, a security specialist at yes.com. Daniel received his Ph.D. from the University of Stuttgart through research on the formal analysis of web protocols. Daniel joins the podcast today to talk about the security BCP document. 

A BCP document is a document that describes the best current practices for any given field. Fett is a co-author and has been working on the [OAuth 2.0 Security Best Current Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16) document. This document gives an update on the best industry practices, but it does not override the core specifications. Instead, this document provides additional information and practices in OAuth. While there are many great recommendations in this document, three of the most important that stand out to Daniel are:

1. Recommendations to not use the implicit grant any longer.
2. If the authorization code grant is used, PKCE should also be used.
3. Use sender constraining for the access tokens when possible, or at least have rotation for the refresh tokens.

The implicit grant is the process where an authorization server creates the access token and sends it to the browser that requested the access token. Although this is beneficial from a usability standpoint, there are several problems from a security perspective. Daniel unpacks several of the security concerns of implicit flow. Next, he and Vittorio discuss using PKCE when using the authorization code grant. PKCE helps to combat a mix-up attack. This type of attack is called a code injection attack, where attackers gain access to a confidential access code. With PKCE, the client for each run will invent a new code challenge or code verifier and will only accept a code that is bound to the same code challenge. This means that if an attacker tries to inject another code, it will not be bound to the correct code challenge. Finally, Daniel explains the BCP recommendations around sender constraint. He recommends using sender constraint for access tokens whenever possible. 

## Key Takeaways:

**[4:20]** - What is a BCP document, and how is it different from the core specification?
<iframe width="100%" height="230px" scrolling="no" style="border: none" src="https://identityunlocked.auth0.com/public/49/Identity%2C-Unlocked.--bed7fada/23714281?clip=684211d2&embed=true"></iframe> 

**[6:48]** - What are the top three most impactful recommendations in the BCP?
Here’s the list of direct links to the top three spec recommendations Daniel mentions

* Don’t use the [implicit grant](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-2.1.2) to get access tokens
* [Use PKCE for every code authorization flow](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-2.1.1), regardless of client type
* [Sender constraint for access tokens and/or refresh token rotation](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-2.2)
<iframe width="100%" height="230px" scrolling="no" style="border: none" src="https://identityunlocked.auth0.com/public/49/Identity%2C-Unlocked.--bed7fada/23714281?clip=c09b4490&embed=true"></iframe> 

**[7:59]** - What are the problems with the implicit grant?
The problems with the implicit grant have been explored in the podcast [episode about OAuth2.1 with Aaron Parecki](https://auth0.com/blog/identity-unlocked-explained-episode-2/), last section - and we expanded on the issues further in [this post](https://auth0.com/blog/oauth2-implicit-grant-and-spa/). Check those out if you want to dig deeper!
<iframe width="100%" height="230px" scrolling="no" style="border: none" src="https://identityunlocked.auth0.com/public/49/Identity%2C-Unlocked.--bed7fada/23714281?clip=f39ed326&embed=true"></iframe> 

**[16:02]** - Using authorization code grant when using PKCE. 
<iframe width="100%" height="230px" scrolling="no" style="border: none" src="https://identityunlocked.auth0.com/public/49/Identity%2C-Unlocked.--bed7fada/23714281?clip=b4930d9d&embed=true"></iframe> 

**[26:09]** - What are the BCP recommendations around sender constraint?
This is a topic we explored in-depth with Brian on the podcast’s inaugural episode- you can find the audio and associated explanations [here](https://auth0.com/blog/identity-unlocked-explained-episode-1/).
<iframe width="100%" height="230px" scrolling="no" style="border: none" src="https://identityunlocked.auth0.com/public/49/Identity%2C-Unlocked.--bed7fada/23714281?clip=59a3e3d9&embed=true"></iframe> 

### Links/Resources:

Learn more about [Daniel Fett](https://danielfett.de/)<br />
Visit [yes.com](https://yes.com/)

Vittorio Bertocci on [LinkedIn](https://www.linkedin.com/in/vittoriobertocci/)<br />
Vittorio Bertocci on [Twitter](https://twitter.com/vibronet)<br />

Learn more about [Identity, Unlocked](https://identityunlocked.auth0.com/public/49/Identity%2C-Unlocked.--bed7fada/episodes)<br />
Learn more about [Auth0](https://auth0.com/)<br />

<include src="asides/IdentityUnlocked" />

<include src="asides/AboutAuth0" />