+1000 We are currently going through internal turmoil over the usage of implicit grant for ua-based apps. The webapp case is well understood and the WG has work in progress to define best practices for native apps. Having one for ua-based apps would be HUGELY beneficial
On Fri, Feb 17, 2017 at 11:40 AM, Jim Manico <j...@manicode.com> wrote: > Thank you to those answering my question on implicit for JS clients. > > The responses so far seem to represent what the security world is saying > about the implicit grant - keep away from it other than for a few OIDC use > cases. > > Does anyone think it would be valuable to author a brief RFC to give clear > OAuth 2 recommendations for JavaScript client developers? > > I mean - the OAuth 2 body of work just needs a few more RFC's, right? :) > > Aloha, Jim > > > > On 2/17/17 6:03 AM, sebastian.ebl...@telekom.de wrote: > > Same for Deutsche Telekom. Our javascript clients also use code flow with > CORS processing and of course redirect_uri validation. > > > > Best regards > > > > Sebastian > > > > *Von:* OAuth [mailto:oauth-boun...@ietf.org <oauth-boun...@ietf.org>] *Im > Auftrag von *Bill Burke > *Gesendet:* Freitag, 17. Februar 2017 00:14 > *An:* oauth@ietf.org > *Betreff:* Re: [OAUTH-WG] Google's use of Implicit Grant Flow > > > > For our IDP [1], our javascript library uses the auth code flow, but > requires a public client, redirect_uri validation, and also does CORS > checks and processing. We did not like Implicit Flow because > > 1) access tokens would be in the browser history > > 2) short lived access tokens (seconds or minutes) would require a browser > redirect > > I'd be really curious to hear other's thoughts though. > > [1] http://keycloak.org > <https://urldefense.proofpoint.com/v2/url?u=http-3A__keycloak.org&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=YExyuyZO5YNpSvS3mEUG5pjKAjRXXVT8Xvk8hIb-Efw&e=> > > > > > > > > On 2/16/17 5:44 PM, Jim Manico wrote: > > Hello Folks, > > I noticed that Google supports the OAuth 2 Implicit flow for third-party > JavaScript applications. > > https://developers.google.com/identity/protocols/OAuth2UserAgent > <https://urldefense.proofpoint.com/v2/url?u=https-3A__developers.google.com_identity_protocols_OAuth2UserAgent&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=_Mig-zmCt1y9dZpCece1dqby3VmcZVOu2JPcmAwzwKU&e=> > > Isn't this generally discouraged from a security POV? *Is there a better > OAuth 2 flow for third party SPA applications?* > > Aloha, > > -- > > Jim Manico > > Manicode Security > > https://www.manicode.com > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.manicode.com&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=H8pXLA4TE27vW-gz5Sbr9VOUP-KZMmd-gQ-okH4ohMU&e=> > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=jAjifWdP3vqnDgWricLE62R9_d0BQReWRUitqM5S1JU&e=> > > > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=jAjifWdP3vqnDgWricLE62R9_d0BQReWRUitqM5S1JU&e=> > > > -- > Jim Manico > Manicode Securityhttps://www.manicode.com > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.manicode.com&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=H8pXLA4TE27vW-gz5Sbr9VOUP-KZMmd-gQ-okH4ohMU&e=> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
