%% You should probably cite draft-ietf-oauth-browser-based-apps-17 instead of this revision. @techreport{ietf-oauth-browser-based-apps-02, number = {draft-ietf-oauth-browser-based-apps-02}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/02/}, author = {Aaron Parecki and David Waite}, title = {{OAuth 2.0 for Browser-Based Apps}}, pagetotal = 18, year = ** No value found for 'doc.pub_date.year' **, month = ** No value found for 'doc.pub_date' **, day = ** No value found for 'doc.pub_date.day' **, abstract = {OAuth 2.0 authorization requests from browser-based apps must be made using the authorization code grant with the PKCE extension, and should not be issued a client secret when registered. This specification details the security considerations that must be taken into account when developing browser-based applications, as well as best practices for how they can securely implement OAuth 2.0.}, }