Consider requiring PKCE #176
Comments
|
Just completing the links: the current draft of the BCP can be found at https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ (moved to a new name) |
|
cc @fkooman |
|
Yeah, it would be best to switch to authorization code profile and use PKCE. That's what I've been doing for other projects, i.e. support RFC8252 "OAuth 2.0 for Native Apps". This draft @skddc refers to is very similar. Specifically relevant for RS: https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-03#section-6.3 |
|
This draft mentions requirements for keeping implicit grant flow (but generally recommends not using it anymore): https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There seems to be some progress in general opinion about implicit grant flow best practices, where probably we should require https://www.oauth.com/oauth2-servers/pkce/ in how the remoteStorage spec uses OAuth Implicit Grant.
https://tools.ietf.org/id/draft-parecki-oauth-browser-based-apps-02.txt
https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926
https://www.google.com/search?q=implicit+flow+problems
The text was updated successfully, but these errors were encountered: