Hi all, thanks for the latest round of feedback. I've incorporated these suggestions into the latest draft, -03. Here's a summary of the changes since -02:
* Updated the historic note about the fragment URL clarifying that the Session History API means browsers can use the unmodified authorization code flow * Rephrased "Authorization Code Flow" intro paragraph to better lead into the next two sections * Softened "is likely a better decision to avoid using OAuth entirely" to "it may be..." for common-domain deployments * Updated abstract to not be limited to public clients, since the later sections talk about confidential clients * Removed references to avoiding OpenID Connect for same-domain architectures * Updated headers to better describe architectures (Apps Served from a Static Web Server -> JavaScript Applications without a Backend) * Expanded "same-domain architecture" section to better explain the problems that OAuth has in this scenario * Referenced Security BCP in implicit flow attacks where possible * Minor typo corrections I have a few open questions on this still based on discussion on the list that there was not a clear consensus on, so I've prepared those points to talk about during the session on Friday. ---- Aaron Parecki aaronparecki.com @aaronpk ---- Aaron Parecki aaronparecki.com @aaronpk On Wed, Jul 24, 2019 at 7:17 PM <[email protected]> wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Authorization Protocol WG of the IETF. > > Title : OAuth 2.0 for Browser-Based Apps > Authors : Aaron Parecki > David Waite > Filename : draft-ietf-oauth-browser-based-apps-03.txt > Pages : 18 > Date : 2019-07-24 > > Abstract: > This specification details the security considerations that must be > taken into account when developing browser-based applications, as > well as best practices for how they can securely implement OAuth 2.0. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-03 > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-03 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-browser-based-apps-03 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
