Jim Manico
2017-02-27 14:17:59 UTC
I've been collecting opinions about the best OAuth2 workflows for SPA applications and have come up with the following basic recommendations.
1) The more secure flow is going to be authorization code. Keep access tokens out of the DOM/Browser history.
2) Implicit flows are your only choice if you allow serverless JS clients to access your OAuth endpoints. This is much easier to implement but carries a great deal more risk. Wether or not this is good for you depends on your threat model and risk tolerance.
I'd love to keep going and turn this into a RFC but this is over my head. Does anyone here with more experience care to assist in proposing a SPA-OAuth RFC? I'd be happy to help with the grunt work. This is one of the main areas of OAuth where answers are fractured and I'd love to help push more clarity here.
Aloha,
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805
1) The more secure flow is going to be authorization code. Keep access tokens out of the DOM/Browser history.
2) Implicit flows are your only choice if you allow serverless JS clients to access your OAuth endpoints. This is much easier to implement but carries a great deal more risk. Wether or not this is good for you depends on your threat model and risk tolerance.
I'd love to keep going and turn this into a RFC but this is over my head. Does anyone here with more experience care to assist in proposing a SPA-OAuth RFC? I'd be happy to help with the grunt work. This is one of the main areas of OAuth where answers are fractured and I'd love to help push more clarity here.
Aloha,
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805