OAuth's implicit flow was created before browsers supported CORS. Let's deprecate it!
Auth code flow + PKCE is the future. Cheers to #OAuth 2.1. ๐๐ป
Some more info on OAuth 2.1 from the @oktadev blog:
OAuth 2.1: How many RFCs does it take to change a light bulb?
developer.okta.com/blog/2019โฆ
1
4
19
According to @aaronpk, it was first called CORS in 2009, but wasn't a W3C final spec until 2014. The first draft of OAuth 2 was in 2010.
caniuse.com/#feat=cors says the only browser that fully supported CORS in 2010 was @firefox. @googlechrome had partial support. #oauth2
1
2
๐ way to preempt the "well actually" tweets ๐
Dec 13, 2019 ยท 7:07 PM UTC