Hacker News new | past | comments | ask | show | jobs | submit login

People build SPAs with the OAuth2 code flow (and PKCE) all the time.



Sorry, I misspoke. Those SPAs always have middleware to handle the authorization code, right?

It's really the implicit grant (where access tokens are available to the client) that should be avoided.


No, with PKCE you can do auth code from an SPA


With the implicit grant? I read the RFC recently and thought it was only for the Authorization Code grant.

From https://tools.ietf.org/html/rfc7636

"OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy")."

At the end of the day, no matter what the grant, if you store the access tokens (or refresh tokens) in the browser running an SPA, it is vulnerable to an XSS attack, right?


This is solvable by use of a web worker as a key vault:

https://gitlab.com/jimdigriz/oauth2-worker


That is very cool, thanks for sharing!

Edit: This seems pretty new, any timeline for a release?


Thanks. I am not wholly convinced of the benefits of releases for a project of this scale, I suspect most will just reimplement the moving parts in their own code for a variety of (usually NIH) reasons.


With PKCE you can use the authorzation_code grant flow. The whole issue with SPAs and the authorization_code grant flow isn't the presence or absence of middleware; rather, it's the lack of a confidential client. PKCE gets around the requirement for a client to securely store it's secret.


Right, but even after the authorization code flow, the access token is stored somewhere on the client.

My understanding is that that is suboptimal because the browser has such a large surface area to secure.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: