This PR contains a major rewrite of this document to better reflect the security challenges of browser-based OAuth clients. The updated spec includes an in-depth analysis of attacks, consequences, and architecture patterns that can be used.
Concrete changes in this document:
Added a section on threats of malicios JS (attack payloads and consequences)
Added a threat analysis to each of the major patterns
Expanded the three main patterns with relevant details
Added in-depth discussion of the limitations of Service Workers
Updated refresh token example (made lifetimes more relevant, clarified that the session is needed instead of the user presence)
This PR contains a major rewrite of this document to better reflect the security challenges of browser-based OAuth clients. The updated spec includes an in-depth analysis of attacks, consequences, and architecture patterns that can be used.
Concrete changes in this document: