Konubinix' opinionated web of thoughts

OAuth 2.0 for Browser-Based Apps

Fleeting

OAuth 2.0 for Browser-Based Apps

summary, browser-based applications using the Authorization Code flow

MUST use PKCE ([RFC7636]) when obtaining an access token (Section 7.1)¶

MUST Protect themselves against CSRF attacks (Section 7.3) by either:¶

ensuring the authorization server supports PKCE, or¶

by using the OAuth 2.0 “state” parameter or the OpenID Connect “nonce” parameter to carry one-time use CSRF tokens¶

MUST Register one or more redirect URIs, and use only exact registered redirect URIs in authorization requests (Section 7.2)¶

In summary, OAuth 2.0 authorization servers supporting browser-based applications using the Authorization Code flow:¶

MUST Require exact matching of registered redirect URIs (Section 7.2)¶

MUST Support the PKCE extension (Section 7.1)¶

MUST NOT issue access tokens in the authorization response (Section 10.9)¶

If issuing refresh tokens to browser-based applications (Section 8), then:¶

MUST rotate refresh tokens on each use or use sender-constrained refresh tokens, and¶

MUST set a maximum lifetime on refresh tokens or expire if they are not used in some amount of time¶

when issuing a rotated refresh token, MUST NOT extend the lifetime of the new refresh token beyond the lifetime of the original refresh token if the refresh token has a preestablished expiration time¶

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps