Skip to main content

OAuth 2.0 for Browser-Based Apps

Document Type Replaced Internet-Draft (individual)
Expired & archived
Authors Aaron Parecki , David Waite
Last updated 2018-12-08
Replaced by draft-ietf-oauth-browser-based-apps
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Replaced by draft-ietf-oauth-browser-based-apps
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


OAuth 2.0 authorization requests from apps running entirely in a browser are unable to use a Client Secret during the process, since they have no way to keep a secret confidential. This specification details the security considerations that must be taken into account when developing browser-based applications, as well as best practices for how they can securely implement OAuth 2.0.


Aaron Parecki
David Waite

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)