| ▲ | caseysoftware 7 days ago | |
Yes, 100% agreed. I launched and worked on OAuth 2.0 at Okta for ~5 years and spent most of my time showing people how to do it well and (gently) finding the holes and mistakes in their implementations. Sure, we were selling "OAuth as a Service" but most had introduced usability problems (at minimum) and gaping security vulns (at worst). For a deep dive, check out Aaron Parecki's book: https://oauth2simplified.com/ - he's deeply involved in the (coming) OAuth 2.1 When I led re-implementation at pangea.cloud over the last couple years, we dropped most of the capabilies deprecated in 2.1 (resource owner password, implicit) and went straight to Auth Code with PKCE to make it a bit more manageable. I walk through that progression/simplication here: https://speakerdeck.com/caseysoftware/the-many-layers-of-oau... | ||
| ▲ | gethly 7 days ago | parent | next [-] | |
What is your opinion on token response type and/or id_token for oidc being part of the fragment of redirect uri? I have noticed that apple only supports "code" response type, which is the most secure way. Downside is that it requires a back channel and a second request to be made, but i cannot imagine a use case where this would be a problem as I don't see a pure Single-Page Application having any use for this in a any way, except purely rendering some protected data in a different format, which seems like a silly use case. | ||
| ▲ | jaeyson 6 days ago | parent | prev [-] | |
thanks for the link and slide deck | ||