Just in time for
I published a blog post: "Is the OAuth 2.0 Implicit Flow Dead?"
Wed, May 1, 2019 9:30am -07:00
Jan Jaap Z
Christian Bonzelet 👋🏼
Have you written a
to this? Let me know the URL:
Totally depends on your risk tolerance. Browsers are always a more risky environment, so that's something to keep in mind with refresh tokens.
If you are going to issue refresh tokens to JS, definitely rotate them after every use.
Thu, May 2, 2019 10:32pm +00:00
... assuming I can control what JS code runs on my site (which is a different problem), this should be safe, right?
Thu, May 2, 2019 10:27pm +00:00
What is your opinion on refresh tokens in client-side apps? The PKCE Auth Code flow allows issuing refresh tokens, so SPAs can refresh their tokens without relying on web_message (possibly cross-domain) iframes. ...
Thu, May 2, 2019 10:25pm +00:00
Philip Saa 🇩🇪 #spring
Wed, May 1, 2019 9:26pm +00:00
Wed, May 1, 2019 4:58pm +00:00
From what I understand, the Auth Code flow (even with PKCE) needs some kind of backend in the app (i.e., no static HTML-only cross-domain SPA), or am I missing something?
Wed, May 1, 2019 4:52pm +00:00