Dear RingCentral Developer Community,
Following the recommendations from the OAuth community, we will be working in the coming months to reduce and eventually eliminate support for the implicit grant type for OAuth, with a goal of completing the process by March 2023. The core reason for eliminating this authentication mode is to help improve the security of the apps operating on our platform.
Why are we making this change?
Using implicit grant, apps receive access tokens without an opportunity to authenticate themselves, which, in turn makes the apps vulnerable to various exploits, which can grant others access to their account data. We, along with the OAuth community, recommend developers switch their apps over to use the authorization code with PKCE, which addresses the shortcomings of the implicit grant protocol.
Who is affected by this change?
The good news is that only a small number of developers are affected by this change, and those impacted have already been contacted via email. Given the small number of those affected by this change, we won't discontinue support until we can safely transition those developers to PKCE. However, any apps not actively using this authentication method will have implicit grant explicitly disabled.
What do I need to do?
RingCentral recommends that all developers adopt PKCE as a way to harden their applications and improve security. If you are using implicit grant today, then adopting PKCE is required. RingCentral's SDKs have already been updated to support this protocol and you can find documentation in our Developer Guide to help you if you need assistance in making this transition.
We know changes like this can be disruptive, so we want to thank the developer community in helping us to make this important transition to better secure our network.
Sincerely, RingCentral Developer Support