Much like updated guidance was provided with the "OAuth2 for native apps" RFC, should there be one for "browser-based client-side JS apps"? I ask because google is actively discouraging the use of implicit flow:
https://github.com/openid/AppAuth-JS/issues/59#issuecomment-389639290 >From what I can tell, the complaints with implicit are: * access token in URL * access token in browser history * iframe complexity when using prompt=none to "refresh" access tokens But this requires: * AS/OP to support PKCE * AS/OP to support CORS * user-agent must support CORS * AS/OP to maintain short-lived refresh tokens * AS/OP must aggressively revoke refresh tokens at user signout (which is not something OAuth2 "knows" about) * if the above point can't work, then client must proactively use revocation endpoint if/when user triggers logout Any use in discussing this? -Brock
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
