OAuth 2.0 Security Best Current Practice
Fleeting- Référence externe : https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
See OAuth 2 with Single-Page Apps
authorization servers MUST utilize exact string matching except for port numbers in localhost redirection URIs of native apps
— https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-introduction-8
Public clients MUST use PKCE
— https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-introduction-8
clients SHOULD NOT use the implicit grant (response type “token”)
[…]
Clients SHOULD instead use the response type “code” (aka authorization code grant type)
— https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-introduction-8