- Authorization Code Flow: Server-side web apps where code is not publicly exposed - allowing the client to exchange an authorization code for a token
- Authorization Code Flow with Proof Key for Code Exchange (PKCE):
- Device Authorization Flow: Entering a code from your Roku screen on the hulu website for example.
- Client Credentials flow: For machine to machine
- Auth0: Authorization Flows good docs all around here.
- Auth0: Which flow should I use?
- Auth0: Silent Authentication Explains Auth0's approach to reloading a browser session on a client-only app.
- OpenID Connect (OIDC): Oauth2-compliant protocol that supports social login using an Auth Token and passing profile information using an ID Token (as a JWT)
- OWASP CSRF Guide: Also linked on page is the XSS guide
- OWASP CSRF Cheat Sheet: Also linked on page is the XSS cheat sheet
- A number of stack exchange questions on XSS vs CSRF
- Your API-Centric Web App Is Probably Not Safe Against XSS and CSRF
: Approach advocating storing a JWT in web storage and submitting it as an
Authorization
header to protect against CSRF along with anhttpOnly
Session cookie to protect against XSS. - Getting Token Authentication Right: Approach advocating splitting a JWT across 2 cookies,
header.payload
andsignature
, with the signature cookie beinghttpOnly
so the client never has access to the full cookie. NoAuthorization
header.
- JWTs should not be used issue on Flask-Security linknig to some resources that essentially argue the JWT standard is fatally flawed