Implement the sample showing the implementations of the recommendations in https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07#section-6.2

[sandipchitale]

Expected Behavior

The RFC https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07 recommends use of:

JavaScript Applications with a Backend

The Application Server (Backend) SHOULD be considered a confidential client,
and issued its own client secret. The Application Server SHOULD use
the OAuth 2.0 Authorization Code grant with PKCE to initiate a
request for an access token.
Security of the connection between code running in the browser and
this Application Server is assumed to utilize browser-level
protection mechanisms. Details are out of scope of this document,
but many recommendations can be found in the OWASP Cheat Sheet series
(https://cheatsheetseries.owasp.org/), such as setting an HTTP-only
and Secure cookie to authenticate the session between the browser and
Application Server.
In this scenario, the session between the browser and Application
Server SHOULD be a session cookie provided by the Application Server.

Current Behavior

I have not seen any samples and/or documentation explaining how to implement the recommendation especially when using JWT tokens. It will be good if the documentation discusses if the above recommendation is applicable when using JWT token with OAuth2.

Context

[jzheaux]

Hi, @sandipchitale, I'm going to transfer this issue over to spring-security-samples, since we are moving our samples over there.

I think an oauth2Login sample like this one that is compatible with the Spring Security Resource Server samples could be illustrative.