80°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Aaron Parecki
    Just in time for #iiw I published a blog post: "Is the OAuth 2.0 Implicit Flow Dead?" https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead
    Mountain View, California, USA • 49°F
    Wed, May 1, 2019 9:30am -07:00 #oauth #iiw
    18 likes 9 reposts 6 replies
    • Erik Paulson
    • George Fletcher
    • Justin Richer
    • Jesse Buchanan
    • Mark Drummond
    • @herestomwiththeweather@mastodon.social
    • Jan Jaap Z
    • Tim Cappalli
    • Paul Matthews
    • Nate Barbettini
    • Marek Grabarz
    • Christian Bonzelet 👋🏼
    • Kamil Mrzygłód
    • Andreas Stjerndal
    • Rahul
    • stbnrivas
    • Jeff Lombardo
    • Nico Kaiser
    • Fabien Arrault
    • Jeff Lombardo
    • Nate Barbettini
    • Marek Grabarz
    • Florian Weil
    • Matt Raible
    • Mark Drummond
    • Justin Richer
    • OAuth 2.0
    • Aaron Parecki twitter.com/aaronpk
      Totally depends on your risk tolerance. Browsers are always a more risky environment, so that's something to keep in mind with refresh tokens.

      If you are going to issue refresh tokens to JS, definitely rotate them after every use.
      Thu, May 2, 2019 10:32pm +00:00 (via brid-gy.appspot.com)
    • Nico Kaiser twitter.com/nicokaiser
      ... assuming I can control what JS code runs on my site (which is a different problem), this should be safe, right?
      Thu, May 2, 2019 10:27pm +00:00 (via brid-gy.appspot.com)
    • Nico Kaiser twitter.com/nicokaiser
      What is your opinion on refresh tokens in client-side apps? The PKCE Auth Code flow allows issuing refresh tokens, so SPAs can refresh their tokens without relying on web_message (possibly cross-domain) iframes. ...
      Thu, May 2, 2019 10:25pm +00:00 (via brid-gy.appspot.com)
    • Philip Saa 🇩🇪 #spring twitter.com/cowglow
      And what about this JavaScriptWebTokens I hear about. The JWTs
      Wed, May 1, 2019 9:26pm +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki twitter.com/aaronpk
      If you read the post I talk about exactly that issue and provide sample code for doing auth code + PKCE entirely in JavaScript
      Wed, May 1, 2019 4:58pm +00:00 (via brid-gy.appspot.com)
    • Nico Kaiser twitter.com/nicokaiser
      From what I understand, the Auth Code flow (even with PKCE) needs some kind of backend in the app (i.e., no static HTML-only cross-domain SPA), or am I missing something?
      Wed, May 1, 2019 4:52pm +00:00 (via brid-gy.appspot.com)
Posted in /notes using quill.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv