@aaronpk Thanks for also considering the statically-served browser-based case. I find it curious that the main threat model is having malicious JS executed in the browser context of the app (painting browser-based unsafe). As someone unfamiliar with the stacks of modern backend development (last time I did that, LAMP was big), and only dabbling in frontend stuff (usually Rust/WASM) I'd intuitively assume that a BFF server is more easily compromised than the union of the JS and a static server.
The deadline to submit drafts ahead of the IETF meeting in November just passed, and I submitted my last one with 30 minutes to spare! Here are all the docs I'll be discussing: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html https://www.ietf.org/archive/id/draft-ietf-oauth-resou... aaronparecki.com