Forget About OAuth 2.0. Here Comes OAuth 2.1 - Philippe De Ryck - NDC Oslo 2022

Fleeting

• External reference:

OAuth 2.0, OAuth 2.1

ndcconferences

refresh token make sense when the client secret can be kept secret.

therefore, in public clients, because the secret is not very secret, the refresh token is a simple bearer token.

therefore, the authorization code grant does not make sense and the implicit grant was suggested otherwise, not less secure.

It is still very insecure though.

Now, in public client one should perform authorization code grant with PKCE and refresh token rotation.

Notes linking here

• backend for frontend
• refresh token rotation

Permalink