> Could you please expand on what you are achieving with replacing the URL >using the history API? Removing the token from the browser's history, or any >protection beyond that?
Just this block of code which would be run on the redirect_uri page loaded in the client (after id_token/token validation is complete): https://github.com/IdentityServer/IdentityServer4.Samples/blob/release/Clients/src/JsOidc/wwwroot/callback.js#L4-L6 -Brock
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
