OAuth 2.0 for Browser-Based Applications
draft-ietf-oauth-browser-based-apps-25

• Status
• IESG evaluation record
• IESG writeups
• Email expansions
• History

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, debcooley1@gmail.com, draft-ietf-oauth-browser-based-apps@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rfc-editor@rfc-editor.org, rifaat.s.ietf@gmail.com
Subject: Protocol Action: 'OAuth 2.0 for Browser-Based Applications' to Best Current Practice (draft-ietf-oauth-browser-based-apps-25.txt)

The IESG has approved the following document:
- 'OAuth 2.0 for Browser-Based Applications'
  (draft-ietf-oauth-browser-based-apps-25.txt) as Best Current Practice

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Paul Wouters and Deb Cooley.

A URL of this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/

Ballot Text

Technical Summary

   This specification details the threats, attack consequences, security
   considerations and best practices that must be taken into account
   when developing browser-based applications that use OAuth 2.0.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Discussion of this document takes place on the Web Authorization
   Protocol Working Group mailing list (oauth@ietf.org), which is
   archived at https://mailarchive.ietf.org/arch/browse/oauth/.

   Source for this draft and an issue tracker can be found at
   https://github.com/oauth-wg/oauth-browser-based-apps.

Working Group Summary

   There was some lively discussions on the best way to protect tokens in browsers, 
   with different people offering different perspectives. All these perspectives 
   were captured in the document with their pros and cons.

   A web security expert, reviewed the document and provided 
   lots of great feedback. He later joined as a co-author for this document 
   and significantly improved the quality of the document.

Document Quality

Because this is a BCP, there are no implementations, per se.  
Also no Yang modules, or other things like that. 

There is one downref RFC 6819.

And multiple normative references to 'living standards' which have 
been tied down to specific versions.

Personnel

   The Document Shepherd for this document is Rifaat Shekh-Yusef. The
   Responsible Area Director is Deb Cooley.

RFC Editor Note