Really means that “modern” SPAs based on a combination of OIDC and OAuth
will not work anymore
* silent-renew for access token management
* OIDC JS session notifications
Will not work anymore. Or don’t work anymore already today - e.g. in Brave.
This means SPAs would need to be forced to do refresh tokens - and there is
no solution right now for session notifications.
Maybe the browser apps BCP / OAuth 2.1 should strictly advice against the
“browser apps without a back-end” scenario and promote the BFF style
OAuth mailing list