Is the OAuth 2.0 Implicit Flow Dead?

In this post, we'll look at what's changing in the Implicit Flow and why.

developer.okta.com

May 1, 2019 · 4:35 PM UTC

Philip Saa 🇩🇪 #autumn · May 1, 2019 · 9:26 PM UTC

Philip Saa 🇩🇪 #autumn @cowglow

1 May 2019

Replying to @aaronpk

And what about this JavaScriptWebTokens I hear about. The JWTs

This tweet is unavailable

Aaron Parecki · May 1, 2019 · 4:58 PM UTC

Aaron Parecki @aaronpk

1 May 2019

If you read the post I talk about exactly that issue and provide sample code for doing auth code + PKCE entirely in JavaScript

This tweet is unavailable

Aaron Parecki · May 2, 2019 · 10:32 PM UTC

Aaron Parecki @aaronpk

2 May 2019

Totally depends on your risk tolerance. Browsers are always a more risky environment, so that's something to keep in mind with refresh tokens. If you are going to issue refresh tokens to JS, definitely rotate them after every use.