Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I am in the middle of implementing an OAuth 2 server for my internet forum [0]. The last 10 or so commits are OAuth related. I read docs for about a month and now I feel like I can code it. One thing that confuses me is how it can work without a client secret (it's recommended to not use a client secret for SPAs and native smart phone apps).

[0] https://github.com/ferg1e/comment-castles



So make sure you are doing PKCE for public clients.

With that, and the redirect URL (and therefore trusting DNS), and the other browser security model stuff…. You’re in fairly good shape.

There’s newer standards coming like DPoP - but it’s probably not worth it yet.


https://archive.is/26yI3

This explainer is pretty good. Sorry for the archive link, the original seems to be down




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: