raucao
commented
5 years ago Just completing the links: the current draft of the BCP can be found at https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ (moved to a new name)
Open michielbdejong opened 5 years ago
raucao
commented
5 years ago Just completing the links: the current draft of the BCP can be found at https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ (moved to a new name)
michielbdejong
commented
5 years ago cc @fkooman
ghost
commented
5 years ago Yeah, it would be best to switch to authorization code profile and use PKCE. That's what I've been doing for other projects, i.e. support RFC8252 "OAuth 2.0 for Native Apps". This draft @skddc refers to is very similar.
Specifically relevant for RS: https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-03#section-6.3
raucao
commented
4 years ago This draft mentions requirements for keeping implicit grant flow (but generally recommends not using it anymore): https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15
There seems to be some progress in general opinion about implicit grant flow best practices, where probably we should require https://www.oauth.com/oauth2-servers/pkce/ in how the remoteStorage spec uses OAuth Implicit Grant.
https://tools.ietf.org/id/draft-parecki-oauth-browser-based-apps-02.txt https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926 https://www.google.com/search?q=implicit+flow+problems