Hi Jim,
If there is enough information I think such RFC could be interesting in the
same way as "OAuth 2.0 for Native Apps" (
https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07) is for native
app.
To see if the group also thinks so I would suggest to create a personal
draft and ask it to be adopted as a working group item. (I´ll send you a
direct message with some details on how to do that)
Best Regards
Samuel Erdtman
On Mon, Feb 27, 2017 at 3:17 PM, Jim Manico wrote:
> I've been collecting opinions about the best OAuth2 workflows for SPA
> applications and have come up with the following basic recommendations.
>
> 1) The more secure flow is going to be authorization code. Keep access
> tokens out of the DOM/Browser history.
>
> 2) Implicit flows are your only choice if you allow serverless JS clients
> to access your OAuth endpoints. This is much easier to implement but
> carries a great deal more risk. Wether or not this is good for you depends
> on your threat model and risk tolerance.
>
> I'd love to keep going and turn this into a RFC but this is over my head.
> Does anyone here with more experience care to assist in proposing a
> SPA-OAuth RFC? I'd be happy to help with the grunt work. This is one of the
> main areas of OAuth where answers are fractured and I'd love to help push
> more clarity here.
>
> Aloha,
> --
> Jim Manico
> @Manicode
> Secure Coding Education
> +1 (808) 652-3805
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
