why are csa call public clients?
CSAs are known as “public clients” in OAuth 2.0 specifications. There are two reasons for this:
- They cannot store the client’s password completely securely on the client-side
- They cannot store the access tokens completely securely on the client-side
https://stackoverflow.com/questions/46681889/clarification-on-id-token-vs-access-token
https://community.auth0.com/t/clarification-on-token-usage/8447/2
the above 2 are super critical
Question :How to handle redirect response from a Single Page Application browser only webapp
https://stackoverflow.com/questions/55348531/how-to-handle-redirect-response-from-a-single-page-application-browser-only-weba
Question : If every call to both the authorization server and the resource server is done over SSL then how are refresh token safer as compared to access token?
Question : Is oauth authenticaton or authorization protocol? What is the diffrence between authentication and authorization.
Question: why is the implict flow bad?
Question : Why are refresh tokens banned in implict flow?
Question : Why does the authorization grant flow generate authorization code which is then exchanged for access code?
Question : Does the authorization grant flow need https or will it work over http?
Question : Does pkce flow need the state parameter?
Question : In webapplications typically state is stored in session. can it be stored in cookies?
Qestion : implict flow with form_post is used for simplified authentcation only use case where spa has a back end , why can it not be used for authorization + authentication?
the issue is that storing access tokens in browser is difficult as access tokens stored in localstorage or session storage are prone to xss attack.
if the spa has back end and wants to store access token then it is better to store in back end server in which case authorization grant flow should be used.
if the use case is only authentication then session cookie can be httponly cookie which is immuned from xss attack.
Question do you need to encrypt id/access token stored in cookies?
only if the token is carrying sensitive info, and how will decryption happen?