A thing I started doing: instead of recording my full workshops, I set a voice memo recorder on the podium, and when someone has a question, I press record, repeat the question, and then answer it. Now my recorder is full of Q&A that I can incorporate back into the presentation!
Here's a summary of the changes: • Disallow the password grant to bring it inline with the Security BCP • Rewrote the section about refresh tokens to allow refresh tokens if they are time-limited or rotated on each use • Updated the same-domain JS architecture section to focus more on the design pattern than the domain aspect • Added a few more references to the Security BCP
This addresses all of the feedback from the session except for the one open item we had, which was to somehow describe that in some cases an access token will be sent down to the browser, and what to keep in mind when that is the case. This still needs some discussion on the list here.
Please give it a read and let me know what you think! I think this is shaping up quite nicely now.
This @jack situation is making me rethink my phone number strategy. I've been treating my SIM number as disposable and easily replaceable, where the number I use for 2FA is a google voice number. But now I'm thinking treating my SIM number as a password is a better plan.