search

oauth-wg / oauth-browser-based-apps

Best practices for OAuth in Browser-Based Apps
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps
Other
23 stars 12 forks source link

Add security considerations for refresh tokens #1

Closed aaronpk closed 5 years ago

aaronpk commented 5 years ago

https://www.ietf.org/mail-archive/web/oauth/current/msg18518.html

First of all the AS decides whether it issues refresh tokens or not. Having the ability does not mean the AS must do it. If you feel it’s safer to not do it. Fine.

Sure, and this should be mentioned then somewhere (either in the threats doc or in this proposed best practice doc). Not all end developers using these protocols fully understand the ramifications.

Aaron: I suggest this goes to the SPA BCP since this is client specific.

aaronpk commented 5 years ago

Added in 5cd12e9d5f7e58d614073ef5b073c40ae1ad5091