Hi Jim, If there is enough information I think such RFC could be interesting in the same way as "OAuth 2.0 for Native Apps" ( https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07) is for native app.
To see if the group also thinks so I would suggest to create a personal draft and ask it to be adopted as a working group item. (I´ll send you a direct message with some details on how to do that) Best Regards Samuel Erdtman On Mon, Feb 27, 2017 at 3:17 PM, Jim Manico <j...@manicode.com> wrote: > I've been collecting opinions about the best OAuth2 workflows for SPA > applications and have come up with the following basic recommendations. > > 1) The more secure flow is going to be authorization code. Keep access > tokens out of the DOM/Browser history. > > 2) Implicit flows are your only choice if you allow serverless JS clients > to access your OAuth endpoints. This is much easier to implement but > carries a great deal more risk. Wether or not this is good for you depends > on your threat model and risk tolerance. > > I'd love to keep going and turn this into a RFC but this is over my head. > Does anyone here with more experience care to assist in proposing a > SPA-OAuth RFC? I'd be happy to help with the grunt work. This is one of the > main areas of OAuth where answers are fractured and I'd love to help push > more clarity here. > > Aloha, > -- > Jim Manico > @Manicode > Secure Coding Education > +1 (808) 652-3805 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
