Hi Brock, there have been several attempts to start writing some guidance but so far we haven’t gotten too far. IMHO it would be great to have a document.
Ciao Hannes From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brock Allen Sent: 17 May 2018 14:57 To: email@example.com Subject: [OAUTH-WG] is updated guidance needed for JS/SPA apps? Much like updated guidance was provided with the "OAuth2 for native apps" RFC, should there be one for "browser-based client-side JS apps"? I ask because google is actively discouraging the use of implicit flow: https://github.com/openid/AppAuth-JS/issues/59#issuecomment-389639290 From what I can tell, the complaints with implicit are: * access token in URL * access token in browser history * iframe complexity when using prompt=none to "refresh" access tokens But this requires: * AS/OP to support PKCE * AS/OP to support CORS * user-agent must support CORS * AS/OP to maintain short-lived refresh tokens * AS/OP must aggressively revoke refresh tokens at user signout (which is not something OAuth2 "knows" about) * if the above point can't work, then client must proactively use revocation endpoint if/when user triggers logout Any use in discussing this? -Brock IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth