Security Measures in Implicit Flow
1. Signing and validating access tokens
https://auth0.com/docs/jwks
Access Tokens will be signed by Identity Server using a private key and will be validated on the client side using a public key (RS256 - /jwks endpoint for public keys)
2. Check audience with client_id
https://stackoverflow.com/questions/17241771/how-and-why-is-google-oauth-token-validation-performed/17439317
As mentioned in the above thread that it is critical to ensure the audience field in the response exactly matches client_id to avoid Confused Deputy Problem and I can confirm that this is being done in the angular-oauth2-oidc library that we are using.
3. Use of TLS (https) between Identity Server endpoint and Callback endpoint (with https, the headers, body and headers are all encrypted and therefore, the token in the header is also encrypted)
https://tools.ietf.org/html/rfc6819#section-4.4.2.1
4. use of state/nonce parameter (it’s validated against the local value)
https://tools.ietf.org/html/rfc6819#section-3.6
5. Lastly, access tokens are valid for only 5 minutes and new ones are requested approx. every 4 minutes (using silent refresh feature).