spec icon indicating copy to clipboard operation
spec copied to clipboard

Published 20 hours ago verified publisher icon remotestorage

Consider requiring PKCE

Open michielbdejong opened this issue 6 years ago • 4 comments

There seems to be some progress in general opinion about implicit grant flow best practices, where probably we should require https://www.oauth.com/oauth2-servers/pkce/ in how the remoteStorage spec uses OAuth Implicit Grant.

https://tools.ietf.org/id/draft-parecki-oauth-browser-based-apps-02.txt https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926 https://www.google.com/search?q=implicit+flow+problems

michielbdejong avatar Aug 21 '19 18:08 michielbdejong

Just completing the links: the current draft of the BCP can be found at https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ (moved to a new name)

raucao avatar Sep 13 '19 13:09 raucao

cc @fkooman

michielbdejong avatar Sep 16 '19 08:09 michielbdejong

Yeah, it would be best to switch to authorization code profile and use PKCE. That's what I've been doing for other projects, i.e. support RFC8252 "OAuth 2.0 for Native Apps". This draft @skddc refers to is very similar.

Specifically relevant for RS: https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-03#section-6.3

ghost avatar Sep 16 '19 08:09 ghost

This draft mentions requirements for keeping implicit grant flow (but generally recommends not using it anymore): https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15

raucao avatar May 12 '20 11:05 raucao