Konubinix' opinionated web of thoughts

OAuth 2 With Single-Page Apps


only way the authorization code grant with no client secret can be secure is by using the “state” parameter and restricting the redirect URL to trusted clients. Since the secret is not used, there is no way to verify the identity of the client other than by using a registered redirect URL. This is why you need to pre-register your redirect URL with the OAuth 2.0 service


see use an exhaustive list of redirect uri in exact match

move all of the OAuth flow to the server component, and keep the access tokens and refresh tokens out of the browser entirely


risks of data leakage from third-party scripts, it is extremely important to have a good Content-Security Policy configured for your app so that you can be more confident that arbitrary scripts aren’t able to run in the application


anything you store in LocalStorage is potentially visible to third-party scripts on your page


Notes linking here