I've revised the browser-based apps draft to take into account
everything discussed at the previous IETF meeting in Montreal.
Here's a summary of the changes:
• Disallow the password grant to bring it inline with the Security BCP
• Rewrote the section about refresh tokens to allow refresh tokens if they are time-limited or rotated on each use
• Updated the same-domain JS architecture section to focus more on the design pattern than the domain aspect
• Added a few more references to the Security BCP
This addresses all of the feedback from the session except for the one
open item we had, which was to somehow describe that in some cases an
access token will be sent down to the browser, and what to keep in
mind when that is the case. This still needs some discussion on the
Please give it a read and let me know what you think! I think this is
shaping up quite nicely now.