OAuth-tricky-questions

why are csa call public clients?

CSAs are known as “public clients” in OAuth 2.0 specifications. There are two reasons for this:

They cannot store the client’s password completely securely on the client-side

They cannot store the access tokens completely securely on the client-side

https://stackoverflow.com/questions/46681889/clarification-on-id-token-vs-access-token

https://community.auth0.com/t/clarification-on-token-usage/8447/2

the above 2 are super critical

Question :How to handle redirect response from a Single Page Application browser only webapp

https://stackoverflow.com/questions/55348531/how-to-handle-redirect-response-from-a-single-page-application-browser-only-weba

Question : If every call to both the authorization server and the resource server is done over SSL then how are refresh token safer as compared to access token?

Question : Is oauth authenticaton or authorization protocol? What is the diffrence between authentication and authorization.

Question: why is the implict flow bad?

Question : Why are refresh tokens banned in implict flow?

Question : Why does the authorization grant flow generate authorization code which is then exchanged for access code?

Question : Does the authorization grant flow need https or will it work over http?

Question : Does pkce flow need the state parameter?

Question : In webapplications typically state is stored in session. can it be stored in cookies?

Qestion : implict flow with form_post is used for simplified authentcation only use case where spa has a back end , why can it not be used for authorization + authentication?

the issue is that storing access tokens in browser is difficult as access tokens stored in localstorage or session storage are prone to xss attack.

if the spa has back end and wants to store access token then it is better to store in back end server in which case authorization grant flow should be used.

if the use case is only authentication then session cookie can be httponly cookie which is immuned from xss attack.

Question do you need to encrypt id/access token stored in cookies?

only if the token is carrying sensitive info, and how will decryption happen?

	Nishant Anand I am technical architect with around 18 years of experience in telecom , banking and health care domain. I was part of the founding team of Drishti and currently CTO at affordplan
	Consult Send Query