Same for Deutsche Telekom. Our javascript clients also use code flow with CORS processing and of course redirect_uri validation.
Best regards Sebastian Von: OAuth [mailto:[email protected]] Im Auftrag von Bill Burke Gesendet: Freitag, 17. Februar 2017 00:14 An: [email protected] Betreff: Re: [OAUTH-WG] Google's use of Implicit Grant Flow For our IDP [1], our javascript library uses the auth code flow, but requires a public client, redirect_uri validation, and also does CORS checks and processing. We did not like Implicit Flow because 1) access tokens would be in the browser history 2) short lived access tokens (seconds or minutes) would require a browser redirect I'd be really curious to hear other's thoughts though. [1] http://keycloak.org On 2/16/17 5:44 PM, Jim Manico wrote: Hello Folks, I noticed that Google supports the OAuth 2 Implicit flow for third-party JavaScript applications. https://developers.google.com/identity/protocols/OAuth2UserAgent Isn't this generally discouraged from a security POV? Is there a better OAuth 2 flow for third party SPA applications? Aloha, -- Jim Manico Manicode Security https://www.manicode.com _______________________________________________ OAuth mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
