That's non-standard behavior so I'm not sure anyone is doing ... • Aaron Parecki

47°F

Peter Holz https://twitter.com/nu4ur • Nov 26
Hi @aaronpk, do you know if any OAuth provider like Okta allows to set refresh tokens as HttpOnly cookie and whose token endpoint reads that cookie? Asking for a browser-based public client which can't safely store refresh tokens outside of memory otherwise.

That's non-standard behavior so I'm not sure anyone is doing that. But there is some discussion about bringing this idea into the working group for standardization.

Portland, Oregon • 47°F

Thu, Nov 26, 2020 11:21am -08:00

1 like 2 replies
- Peter Holz
Have you written a response to this? Let me know the URL:
- Aaron Parecki twitter.com/aaronpk
  
  Yep I agree, there's a draft I'm planning on taking to the group to suggest exactly this.
  
  Fri, Nov 27, 2020 12:06am +00:00 (via brid-gy.appspot.com)
- Peter Holz twitter.com/nu4ur
  
  Thanks! Rotation doesn't help against the theft itself, only alerts afterwards. I'm not familiar with sender constraints, but probably difficult to implement for public clients? Cookies would be a simple and proven solution, at least for *browser-based* public clients.
  
  Thu, Nov 26, 2020 7:28pm +00:00 (via brid-gy.appspot.com)

Posted in /replies using quill.p3k.io