OAuth It S Complicatedfleeting
- External reference:
- External reference: https://changelog.com/podcast/456
OAuth It s complicated
One creator of OAuth 2.0 tells, among other things, that
- there is no way to securize a client secret in a web client (like a single page application)
- oauth was created making the hypothesis that the client existed with a unique instance
- now that there exist plenty of clients that are web clients, therefore plenty of instances of the same client (with the same client id and client secret) is still possible but raises a lot of questions.
- like the fact that an access token created for an instance of a client is usable by another instance might be a problem
- yet, some people found workaround this
- for that reason, grant negotiation and access protocol is being invented.
- the implicit grant was made at a time the browsers were not what they are
today. It is totally obsolete and should be replaced by authorization code
grant with PKCE.
- remembering about the difference between the front channel and the back channel helps understanding this