I just published a revised version of OAuth for Browser-Based Apps based on the feedback and discussion at IETF 115 London!
The primary changes are:
- Rephrased the architecture patterns to focus on token acquisition
- Added a new section about the various options available for storing tokens
- Added a section on sender-constrained tokens and a reference to DPoP
- Added a section discussing why not to use the Cookie API to store tokens
At this point there are no open issues on GitHub, and I have nothing else I am planning on adding to the document. Please review if you are interested and let me know if you have any further suggestions!