Re: [OAUTH-WG] is updated guidance needed for JS/SPA apps?

David Waite <> Fri, 18 May 2018 10:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DB0DE129C6C for <>; Fri, 18 May 2018 03:04:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.435
X-Spam-Level: *
X-Spam-Status: No, score=1.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_SBL_CSS=3.335, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id V_gZWd7E9Gcf for <>; Fri, 18 May 2018 03:04:47 -0700 (PDT)
Received: from ( [IPv6:2600:3c00::f03c:91ff:fe93:6974]) by (Postfix) with ESMTP id 1720C127873 for <>; Fri, 18 May 2018 03:04:46 -0700 (PDT)
Received: from [IPv6:2601:282:202:b210:89f1:9f32:cd33:f67c] (unknown [IPv6:2601:282:202:b210:89f1:9f32:cd33:f67c]) by (Postfix) with ESMTPSA id CF1A831544; Fri, 18 May 2018 10:04:45 +0000 (UTC)
From: David Waite <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_701D3F8F-1A06-4744-AD29-4A826590726A"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Fri, 18 May 2018 04:04:44 -0600
In-Reply-To: <>
Cc: Brock Allen <>, "" <>
To: Hannes Tschofenig <>
References: <> <>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <>
Subject: Re: [OAUTH-WG] is updated guidance needed for JS/SPA apps?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 May 2018 10:04:50 -0000

I have written some guidance already (in non-RFC format) on preferring code for single page apps, and other security practices (CORS, CSP). From the AS point of view, it aligns well with the native apps BCP. There are benefits of thinking about native and SPA apps just as ‘public clients’ from a policy/properties point of view. It also greatly simplifies OAuth/OIDC support on both the AS administrator and client developer side when converting web properties into native apps using technologies like Electron or Cordova.

For the later requirements in the list around token policy, I am not sure these are requirements for single page apps per se. I don’t believe the need for a policy using short-lived refresh tokens, revoking at signout, or use of the revocation endpoint are different from browser and native applications. Rather they seem to be a function of usage patterns that an AS may need to support, and we happen to sometimes associate those usage patterns with typical usage of native apps vs of browser apps. For example, browser login on a borrowed device can easily leak over to being app authorization - the authentication/authorization are web-based processes to achieve SSO.

I have been working on some guidance here around token lifetimes and policies, but I don’t know whether that brings in too much AS/OP business logic (and, likely implied product/deployment features) to be industry practices.


> On May 17, 2018, at 10:23 AM, Hannes Tschofenig <> wrote:
> Hi Brock,
> there have been several attempts to start writing some guidance but so far we haven’t gotten too far.
> IMHO it would be great to have a document.
> Ciao
> Hannes
> From: OAuth [ <>] On Behalf Of Brock Allen
> Sent: 17 May 2018 14:57
> To: <>
> Subject: [OAUTH-WG] is updated guidance needed for JS/SPA apps?
> Much like updated guidance was provided with the "OAuth2 for native apps" RFC, should there be one for "browser-based client-side JS apps"? I ask because google is actively discouraging the use of implicit flow:
> <>
> From what I can tell, the complaints with implicit are:
> * access token in URL
> * access token in browser history
> * iframe complexity when using prompt=none to "refresh" access tokens
> But this requires:
> * AS/OP to support PKCE
> * AS/OP to support CORS 
> * user-agent must support CORS
> * AS/OP to maintain short-lived refresh tokens 
> * AS/OP must aggressively revoke refresh tokens at user signout (which is not something OAuth2 "knows" about)
> * if the above point can't work, then client must proactively use revocation endpoint if/when user triggers logout
> Any use in discussing this?
> -Brock
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________
> OAuth mailing list
> <>
> <>