With the help of a few kind folks, we've made some updates to the OAuth 2.0 for Browser-Based Apps draft as discussed during the last IETF meeting in Philadelphia.
You can find the current version, draft 11, here:
The major changes in this version are adding two new architecture patterns, the "Token Mediating Backend" pattern based on the TMI-BFF draft, and the "Service Worker" pattern of using a Service Worker as the OAuth client. I've also done a fair amount of rearranging of various parts of the document to hopefully make more sense.
Obviously there is no clear winner in terms of which architecture pattern is best, so instead of trying to make a blanket recommendation, the goal of this draft is to document the pros and cons of each. If you have any input into either benefits or drawbacks that aren't mentioned yet in any of the patterns discussed, please feel free to chime in so we can add them to the document! You're welcome to either reply on the list, open an issue on the GitHub repository, or contact me directly. Keep in mind that only comments on the mailing list are part of the official record.