Re: [OAUTH-WG] Recommendations for browser-based apps

<> Thu, 26 January 2017 00:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AB9D3129421 for <>; Wed, 25 Jan 2017 16:24:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kafTbxBeMFgk for <>; Wed, 25 Jan 2017 16:24:03 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400e:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AF73D126D74 for <>; Wed, 25 Jan 2017 16:24:03 -0800 (PST)
Received: by with SMTP id 194so68416016pgd.2 for <>; Wed, 25 Jan 2017 16:24:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=message-id:mime-version:to:from:subject:date:importance:in-reply-to :references; bh=MCtXH4Z2MKhohqCNLhviMn4X6TY4yzXsCbRCy+qW6B8=; b=UdT4H7nS/QGx71PdzBG3aYX+eJggTwRU08JfgpjrwfjgFs7MTZRZBET8jVO7Mng2jt ofsjH/Z3TsE968b0t+Fg6oj5cjqzLWVP8kGSOXd1BcBV53uxlxsw2tSI7oKpQyE8XO90 DggXYTkp39QzmN6YS+2ACvrr1LghL62XLNM4YLEiXDXJwxQwEFcCfqnOxIW3U1i57rzb 3OBDoq7qYEUd7KNmE4fmvchO4unxi01gGtn+Hsxis4L79Z5khEkf6CAZ8+zjRBDpyn01 tXwjkdmgucyi5wEMscH7tVREMzrndFcUMGYglgbGLCBLEseLKh6GMxM/11o4MAxMDxZa ho7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:message-id:mime-version:to:from:subject:date :importance:in-reply-to:references; bh=MCtXH4Z2MKhohqCNLhviMn4X6TY4yzXsCbRCy+qW6B8=; b=GIv6rvoj2mSUenher8x1YDN5TjcRsnqqBzw/FFJZ021yhApv7V3DCc6jEeSVqMXz0v 33iLkz/qQEWCCI17suOp2FhcoyQ45irxUHE0bKBwb+OEOFDsLry8JqrEO+wmNemExSsf 1J4jxEqI8a1KpdxeC4p1Fo2fLapwxAAcVDnJOD/1zyIUdZfetBLfbQTT6Gg5LC+6aal0 COL83AAx9P49Z/UGJh8t4cxrrsbHs0oZ+/ltv0ioIxn+JRD3t9ctBe71+hnzdYUVZCH0 Jh9KWJE3EJsNteZc6cRoJcBQziWZjKtvg6relam2IlhvIOm17KYPSvwdx37RTHsZQoOR PSGw==
X-Gm-Message-State: AIkVDXJIVKiOKkuV2xKIRArPNVb+ZLuj5KI6vw/dHp3QHEb5HQdUAGxTrT6QyqvPiItW8LAA
X-Received: by with SMTP id y25mr122094pfj.162.1485390243035; Wed, 25 Jan 2017 16:24:03 -0800 (PST)
Received: from ?IPv6:::ffff: ([]) by with ESMTPSA id h17sm3632973pfh.62.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jan 2017 16:24:01 -0800 (PST)
Message-ID: <>
MIME-Version: 1.0
To: Aaron Parecki <>, OAuth WG <>
From: <>
Date: Wed, 25 Jan 2017 16:24:01 -0800
Importance: normal
X-Priority: 3
In-Reply-To: <>
References: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="94eb2c1168accdbc740546f45db9"
Archived-At: <>
Subject: Re: [OAUTH-WG] Recommendations for browser-based apps
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 26 Jan 2017 00:24:05 -0000

It depends on what you mean by browser based apps.

In general for single page apps that are java script executing in the browser dom, the recommendation would be implicit flow. 

These apps don’t by definition need offline access as they go away when the user is not present.

We have talked about developing guidance for single page apps, but don’t have anything yet.

I think it needs to be thought through again now that new things like service workers are available, and we will eventually get token binding in the browser (hint it is on in IE and Edge on windows 10 preview and in Chrome behind a feature flag now) 

You could use the PKCE appAuth type flow in a SPA app if you have the correct CORS setup.
I however cant at this point say that you are getting improved security for the extra work in that environment.

John B.
Sent from Mail for Windows 10

From: Aaron Parecki
Sent: January 25, 2017 3:12 PM
To: OAuth WG
Subject: [OAUTH-WG] Recommendations for browser-based apps

Thanks to the new "OAuth 2.0 for Native Apps" and PKCE documents, we have a solid recommendation for how to do OAuth 2.0 for native apps. 

Given that PKCE is intended for "public clients" and not specifically native apps, I'm wondering where that leaves browser-based apps. The core spec still says that the implicit grant is recommended for browser-based apps, but it's looking like the recommendation is to use the authorization code flow + PKCE with no secret for browser-based apps.

Am I correct in thinking that the general recommendation would be to use the authorization code flow with no secret, and even better to use PKCE for browser-based apps?

Aaron Parecki