Hi Brock,

there have been several attempts to start writing some guidance but so far we 
haven’t gotten too far.
IMHO it would be great to have a document.


From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brock Allen
Sent: 17 May 2018 14:57
To: oauth@ietf.org
Subject: [OAUTH-WG] is updated guidance needed for JS/SPA apps?

Much like updated guidance was provided with the "OAuth2 for native apps" RFC, 
should there be one for "browser-based client-side JS apps"? I ask because 
google is actively discouraging the use of implicit flow:


From what I can tell, the complaints with implicit are:
* access token in URL
* access token in browser history
* iframe complexity when using prompt=none to "refresh" access tokens

But this requires:
* AS/OP to support PKCE
* AS/OP to support CORS
* user-agent must support CORS
* AS/OP to maintain short-lived refresh tokens
* AS/OP must aggressively revoke refresh tokens at user signout (which is not 
something OAuth2 "knows" about)
* if the above point can't work, then client must proactively use revocation 
endpoint if/when user triggers logout

Any use in discussing this?


IMPORTANT NOTICE: The contents of this email and any attachments are 
confidential and may also be privileged. If you are not the intended recipient, 
please notify the sender immediately and do not disclose the contents to any 
other person, use it for any purpose, or store or copy the information in any 
medium. Thank you.
OAuth mailing list

Reply via email to