Open michielbdejong opened 5 years ago
Just completing the links: the current draft of the BCP can be found at https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ (moved to a new name)
cc @fkooman
Yeah, it would be best to switch to authorization code profile and use PKCE. That's what I've been doing for other projects, i.e. support RFC8252 "OAuth 2.0 for Native Apps". This draft @skddc refers to is very similar.
Specifically relevant for RS: https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-03#section-6.3
This draft mentions requirements for keeping implicit grant flow (but generally recommends not using it anymore): https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15
There seems to be some progress in general opinion about implicit grant flow best practices, where probably we should require https://www.oauth.com/oauth2-servers/pkce/ in how the remoteStorage spec uses OAuth Implicit Grant.
https://tools.ietf.org/id/draft-parecki-oauth-browser-based-apps-02.txt https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926 https://www.google.com/search?q=implicit+flow+problems