@aaronpk Thanks for all your very helpful OAuth materials, and especially for your IndieWeb work. Question: A lot of the complexity of OAuth seems to come from avoiding security issues with passing tokens in the address bar ("front channel"). 1/

Why not open a new tab for interacting with the auth server, while simultaneously opening a back channel request in the original session? Once the user has authenticated/authorized from the new tab, the back channel request would resolve. 2/

That's basically what the Device Flow is, except manual. You certainly could do that. I suspect it would be fragile at best though, and wouldn't work well in mobile browsers.

What do you think would be fragile about my approach? Giving the client control over the random value?