This PR contains a major rewrite of this document to better reflect the security challenges of browser-based OAuth clients. The updated spec includes an in-depth analysis of attacks, consequences, and architecture patterns that can be used.
Concrete changes in this document:
Added a section on threats of malicios JS (attack payloads and consequences)
Added a threat analysis to each of the major patterns
Expanded the three main patterns with relevant details
Added in-depth discussion of the limitations of Service Workers
Updated refresh token example (made lifetimes more relevant, clarified that the session is needed instead of the user presence)
aaronpk
commented
10 months ago
This PR contains a major rewrite of this document to better reflect the security challenges of browser-based OAuth clients. The updated spec includes an in-depth analysis of attacks, consequences, and architecture patterns that can be used.
Concrete changes in this document: