The OAuth 2.0 Authorization Framework contains considerable power and flexibility in how it can be integrated into applications. Since its first release more than five years ago, the framework has been greatly extended with new capabilities both in the core specification and in industry-contributed specifications.
Because of OAuth’s versatility, developers and administrators often have many choices in how to best utilize the framework to meet their needs. As a result, it has become increasingly common for experts and solution providers to offer structured guidance to help simplify configuration and deployment, as well as to avoid potential future interoperability and security issues.
As part of providing that guidance, Ping Identity is pleased to share recommendations to our customers for integrating OAuth and OpenID Connect with single-page applications (SPAs).
Single-page applications and native applications have significant overlap in terms of behavior. The IETF recently published a BCP (Best Current Practices) on OAuth and OpenID Connect integration with native applications (such as user-installed apps on a mobile device), nicknamed “AppAuth.” The SPA recommendations to our customers build upon these AppAuth recommendations. Consequently, the SPA recommendations align single-page applications more closely with native apps with regards to configuration, integration and administration.
It is our hope that these SPA recommendations will eventually lead to similar best practices being established across the industry.