OAuth 2 With Single-Page Apps
Fleeting- External reference: https://www.oauth.com/oauth2-servers/single-page-apps/
- External reference: https://www.oauth.com/oauth2-servers/single-page-apps/security-considerations/
only way the authorization code grant with no client secret can be secure is by using the “state” parameter and restricting the redirect URL to trusted clients. Since the secret is not used, there is no way to verify the identity of the client other than by using a registered redirect URL. This is why you need to pre-register your redirect URL with the OAuth 2.0 service
see use an exhaustive list of redirect uri in exact match
move all of the OAuth flow to the server component, and keep the access tokens and refresh tokens out of the browser entirely
— https://www.oauth.com/oauth2-servers/single-page-apps/security-considerations/
risks of data leakage from third-party scripts, it is extremely important to have a good Content-Security Policy configured for your app so that you can be more confident that arbitrary scripts aren’t able to run in the application
— https://www.oauth.com/oauth2-servers/single-page-apps/security-considerations/
anything you store in LocalStorage is potentially visible to third-party scripts on your page
— https://www.oauth.com/oauth2-servers/single-page-apps/security-considerations/