OAuth 2.0 for Browser-Based Apps

Document Type Replaced Internet-Draft (individual)
Authors Aaron Parecki  , David Waite 
Last updated 2018-12-08
Replaced by draft-ietf-oauth-browser-based-apps
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Replaced by draft-ietf-oauth-browser-based-apps
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


OAuth 2.0 authorization requests from apps running entirely in a browser are unable to use a Client Secret during the process, since they have no way to keep a secret confidential. This specification details the security considerations that must be taken into account when developing browser-based applications, as well as best practices for how they can securely implement OAuth 2.0.


Aaron Parecki (aaron@parecki.com)
David Waite (david@alkaline-solutions.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)