@aaronpk Thanks for all your very helpful OAuth materials, and especially for your IndieWeb work. Question: A lot of the complexity of OAuth seems to come from avoiding security issues with passing tokens in the address bar ("front channel"). 1/
1
Why not open a new tab for interacting with the auth server, while simultaneously opening a back channel request in the original session? Once the user has authenticated/authorized from the new tab, the back channel request would resolve. 2/
3
Replying to @anderspitman
That's basically what the Device Flow is, except manual. You certainly could do that. I suspect it would be fragile at best though, and wouldn't work well in mobile browsers.

Jan 21, 2020 · 7:05 PM UTC

2
Replying to @aaronpk
What do you think would be fragile about my approach? Giving the client control over the random value?
1
by "fragile" I mean things like vulnerable to popup blockers, popups are bad UX on mobile browsers, etc.
Replying to @aaronpk
That's interesting. After a quick review, it does seem pretty similar. Why the timeout polling instead of long polling? Does the spec dictate what back-channel you send the user to?
1
The spec has a way the AS can provide a URL that the user should visit to the app. So the app has to get the user to that URL somehow, doesn't matter how, and doesn't matter what that URL is.
1
more replies