> On Jul 8, 2019, at 8:39 PM, Aaron Parecki <aa...@parecki.com> wrote:
>
> These are all very good points! I think the challenge here is figuring out
> where this kind of guidance is most appropriate.
>
> It does seem like some of these issues are unique to a browser environment
> (particularly where the browser itself is managing the access and refresh
> tokens), so maybe it makes the most sense to include this guidance in the
> browser based app BCP?
Yes, the location is a challenge - the “offline” distinction is defined
(arguably under-defined) by OpenID Connect. OAuth (on the other hand) does not
take a stand on user authentication sessions, since the tokens are for
delegated access.
For confidential clients, both online and offline options make sense. For
native apps, the push is usually for long-term access or for a session separate
from the external user agent. But for browser apps, you typically want to
mirror user authentication.
> If there are situations in which this advice is applicable in other scenarios
> in addition to browser apps, then I think it would make more sense to include
> it in the general OAuth security BCP.
>
> The Security BCP already has some language around refresh tokens, but I
> haven't reviewed it in a while to see if all of these points might be already
> covered there.
>
> If folks think the Browser BCP is the best place for this kind of thing I am
> definitely open to it, and I can work with David on the specific language to
> add.
>
> - Aaron
-DW
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
