You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Implement the sample showing the implementations of the recommendations in https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07#section-6.2
#4
Open
sandipchitale opened this issue
Oct 12, 2020
· 1 comment
The Application Server (Backend) SHOULD be considered a confidential client,
and issued its own client secret. The Application Server SHOULD use
the OAuth 2.0 Authorization Code grant with PKCE to initiate a
request for an access token.
Security of the connection between code running in the browser and
this Application Server is assumed to utilize browser-level
protection mechanisms. Details are out of scope of this document,
but many recommendations can be found in the OWASP Cheat Sheet series
(https://cheatsheetseries.owasp.org/), such as setting an HTTP-only
and Secure cookie to authenticate the session between the browser and
Application Server.
In this scenario, the session between the browser and Application
Server SHOULD be a session cookie provided by the Application Server.
Current Behavior
I have not seen any samples and/or documentation explaining how to implement the recommendation especially when using JWT tokens. It will be good if the documentation discusses if the above recommendation is applicable when using JWT token with OAuth2.
Context
The text was updated successfully, but these errors were encountered:
Expected Behavior
The RFC https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07 recommends use of:
JavaScript Applications with a Backend
Current Behavior
I have not seen any samples and/or documentation explaining how to implement the recommendation especially when using JWT tokens. It will be good if the documentation discusses if the above recommendation is applicable when using JWT token with OAuth2.
Context
The text was updated successfully, but these errors were encountered: