The IESG has approved the following document: - 'OAuth 2.0 for Browser-Based Applications' (draft-ietf-oauth-browser-based-apps-25.txt) as Best Current Practice
This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Paul Wouters and Deb Cooley. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ Technical Summary This specification details the threats, attack consequences, security considerations and best practices that must be taken into account when developing browser-based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps. Working Group Summary There was some lively discussions on the best way to protect tokens in browsers, with different people offering different perspectives. All these perspectives were captured in the document with their pros and cons. A web security expert, reviewed the document and provided lots of great feedback. He later joined as a co-author for this document and significantly improved the quality of the document. Document Quality Because this is a BCP, there are no implementations, per se. Also no Yang modules, or other things like that. There is one downref RFC 6819. And multiple normative references to 'living standards' which have been tied down to specific versions. Personnel The Document Shepherd for this document is Rifaat Shekh-Yusef. The Responsible Area Director is Deb Cooley. _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
