Security Workshop 2020 OAuth 2.0 for Browser-Based Apps • Includes recommendations for implementors building browser-based apps using OAuth 2.0 • "Browser-based apps" are deﬁned as applications running in a browser, aka "SPA" or "single-page apps"
Security Workshop 2020 Recommendations • MUST NOT return access tokens in the front channel (e.g. no Implicit ﬂow) • MUST use only exact registered redirect URIs • The AS MUST require an exact match of the redirect URI • The AS MUST issue one-time-use refresh tokens • The AS MUST either set a max lifetime on refresh tokens or expire if they are not used after some time
Security Workshop 2020 Same-Domain Applications • Details of this section still TBD • There are still beneﬁts of OAuth such as easier MFA, avoiding passwords in apps, etc • Thoughts and opinions welcome
Security Workshop 2020 Outstanding Work • Collect feedback on the architectural recommendations from people who have deployment experience • Remove details and reference sections that duplicate the Security BCP