Consider requiring PKCE

[michielbdejong]

There seems to be some progress in general opinion about implicit grant flow best practices, where probably we should require https://www.oauth.com/oauth2-servers/pkce/ in how the remoteStorage spec uses OAuth Implicit Grant.

https://tools.ietf.org/id/draft-parecki-oauth-browser-based-apps-02.txt
https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926
https://www.google.com/search?q=implicit+flow+problems

[raucao]

Just completing the links: the current draft of the BCP can be found at https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ (moved to a new name)

[michielbdejong]

cc @fkooman

Yeah, it would be best to switch to authorization code profile and use PKCE. That's what I've been doing for other projects, i.e. support RFC8252 "OAuth 2.0 for Native Apps". This draft @skddc refers to is very similar.

Specifically relevant for RS: https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-03#section-6.3

[raucao]

This draft mentions requirements for keeping implicit grant flow (but generally recommends not using it anymore): https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15