OAuth 2.0 for Browser-Based Apps

tools.ietf.org/html/draft-ietf-oauth-browser-based-apps

OAuth 2.0 for Browser-Based Apps describes security requirements and other recommendations for SPAs and browser-based applications using OAuth 2.0.

Among other things, it recommends using the Authorization Code flow with the PKCE extension instead of using the Implicit flow.

More resources

• Why you should stop using the OAuth implicit grant (Torsten Lodderstedt)
• Section 2.1.2 of OAuth 2.0 Security Best Current Practice
• Single-Page Apps (oauth.com)
• Single-Page Apps (aaronparecki.com)