proposal/discussion: OAuth - disallow web application to be OAuth public client (and to have direct communication with OAuth token endpoint) #1963
Labels
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
V51
Group issues related to OAuth
_5.0 - prep
This needs to be addressed to prepare 5.0
spin-off from #1916 "Discussion/Proposal 1"
The summary for browser based communication says:
Write requirement (preferred) or at least "really strong recommendation" to avoid architecture where the browser communicates directly with authorization server token request and handling access token and refresh token.
Or in OAuth terminology, that OAuth confidential (and not public) client is used.
May be limited to first-party solutions.
It requires quite a strong change to widespread attitude, as with using SPA architecture, often the browser uses directly OAuth service, including token endpoint.
--
Feedback from @tghosth in #1916 (comment)
--
Overlap by recommendation from @TobiasAhnoff in #1925
--
So the question is - are there valid reasons to not disallow it?
The text was updated successfully, but these errors were encountered: