@manicode nice talking with you yesterday. Follow-up on #OAuth implicit flow topic. You said don't use it. To my knowledge this is still the BCP per the #IETF RFC6749 for user-agent-based clients. Thoughts?
3
Also RFC6749 is really high level. Consider reading RFC8252 for best practice advice on native and mobile clients. Consider auth code flow for web apps and OIDC if you’re identifying users.
1
We do implement native apps per RFC8252 including code flow, custom tabs and PKCE, and we use OIDC for authentication to web apps. But doing ua-based-apps / SPAs right is ambiguous at best and I keep hoping for the @oauth_2 WG to begin work on an ua-based client BCP.
1
2
Replying to @lewiada @manicode @oauth_2
BCP for public UA clients: * use the authorization code flow * omit client secret * strict redirect URI validation Some citations and more info: aaronparecki.com/oauth-2-sim…

Apr 24, 2018 · 5:57 PM UTC

3
1
3
Replying to @aaronpk @manicode @oauth_2
and what about for storing the access token in the browser?
1
Sadly there isn't a satisfying answer to that. Anything that your JS can use to store any token is vulnerable to XSS. The only secure option is cookies, but that won't work with OAuth. stormpath.com/blog/where-to-…
3
1
2
more replies
Replying to @aaronpk @lewiada @manicode @oauth_2
I agree it would be nice to see this written up properly though. In the mean time, I'm adding a section to my book about this.
1
2
Replying to @aaronpk @lewiada @oauth_2
Aaron this is very well written. Thanks for passing this along!