Aaron Parecki

In this session we'll discuss techniques for protecting single-page apps using OAuth. Browser environments provide many unique challenges for OAuth clients compared to applications running in a trusted server environment or even native mobile apps.

There are several different architectural patterns described in draft-ietf-oauth-browser-based-apps based on known common implementations. The authors would like to make sure this document captures the current state of the art, so we are looking for input into other ways people have securely implemented OAuth clients in a browser-based environment.

Some concrete recommendations this draft makes include:

• Requiring PKCE
• Exact matching of redirect URIs
• Disallowing the implicit and password grants
• Requiring refresh token rotation as well as setting a maximum lifetime of refresh tokens

Experience from people who have implemented OAuth in a single-page-app environment is much appreciated.

Since the original publication of OAuth 2.0 (RFC 6749) in 2012, several new RFCs have been published that either add or remove functionality from the core spec, including OAuth 2.0 for Native Apps, Proof Key for Code Exchange, OAuth for Browser-Based Apps, and OAuth 2.0 Security Best Current Practice.

OAuth 2.1 is an in-progress effort to consolidate and simplify OAuth 2.0.

The main goal with OAuth 2.1 is to capture the current best practices in OAuth 2.0 as well as its well-established extensions under a single name. That also means specifically that this effort will not define any new behavior itself, instead it captures behavior defined in other existing specs. OAuth 2.1 also won’t include anything considered experimental or still in progress.

This session will present the current status of this ongoing work along with the underlying rationales.