In this session we'll discuss techniques for protecting single-page apps using OAuth. Browser environments provide many unique challenges for OAuth clients compared to applications running in a trusted server environment or even native mobile apps.
There are several different architectural patterns described in draft-ietf-oauth-browser-based-apps based on known common implementations. The authors would like to make sure this document captures the current state of the art, so we are looking for input into other ways people have securely implemented OAuth clients in a browser-based environment.
Some concrete recommendations this draft makes include:
* Requiring PKCE
* Exact matching of redirect URIs
* Disallowing the implicit and password grants
* Requiring refresh token rotation as well as setting a maximum lifetime of refresh tokens
Experience from people who have implemented OAuth in a single-page-app environment is much appreciated.