Just in time for #iiw I published a blog post: "Is the OAuth ... • Aaron Parecki

Just in time for #iiw I published a blog post: "Is the OAuth 2.0 Implicit Flow Dead?" https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead

Mountain View, California, USA • 49°F

Wed, May 1, 2019 9:30am -07:00 #oauth #iiw

18 likes 9 reposts 6 replies
Have you written a response to this? Let me know the URL:
- Aaron Parecki twitter.com/aaronpk
  
  Totally depends on your risk tolerance. Browsers are always a more risky environment, so that's something to keep in mind with refresh tokens.
  
  If you are going to issue refresh tokens to JS, definitely rotate them after every use.
  
  Thu, May 2, 2019 10:32pm +00:00 (via brid-gy.appspot.com)
- Nico Kaiser twitter.com/nicokaiser
  
  ... assuming I can control what JS code runs on my site (which is a different problem), this should be safe, right?
  
  Thu, May 2, 2019 10:27pm +00:00 (via brid-gy.appspot.com)
- Nico Kaiser twitter.com/nicokaiser
  
  What is your opinion on refresh tokens in client-side apps? The PKCE Auth Code flow allows issuing refresh tokens, so SPAs can refresh their tokens without relying on web_message (possibly cross-domain) iframes. ...
  
  Thu, May 2, 2019 10:25pm +00:00 (via brid-gy.appspot.com)
- Philip Saa 🇩🇪 #spring twitter.com/cowglow
  
  And what about this JavaScriptWebTokens I hear about. The JWTs
  
  Wed, May 1, 2019 9:26pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki twitter.com/aaronpk
  
  If you read the post I talk about exactly that issue and provide sample code for doing auth code + PKCE entirely in JavaScript
  
  Wed, May 1, 2019 4:58pm +00:00 (via brid-gy.appspot.com)
- Nico Kaiser twitter.com/nicokaiser
  
  From what I understand, the Auth Code flow (even with PKCE) needs some kind of backend in the app (i.e., no static HTML-only cross-domain SPA), or am I missing something?
  
  Wed, May 1, 2019 4:52pm +00:00 (via brid-gy.appspot.com)

Posted in /notes using quill.p3k.io