> On Dec 5, 2018, at 5:16 AM, Torsten Lodderstedt <tors...@lodderstedt.net> > wrote: > > Hi Tomek, > >> Am 04.12.2018 um 19:03 schrieb Tomek Stojecki <tstoje...@yahoo.com>: >> >> Thanks Torsten! >> So if I am putting myself in the shoes of somebody who sets out to do that - >> switch an existing SPA client (no backend) > > I would like to ask you a question: how many SPAs w/o a backend have you seen > in your projects?
Pivoting to apps with local domain business logic (aka a backend): Setup - the developer is building a browser-targeted app and at least one mobile app - their backend would likely be identical across all three. In that case, would they want client access to that backend to be secured with access tokens? Or should that backend to be the client to the AS, and communication from the javascript to the backend be secured with some non-OAuth method like cookies or API keys? I push for OAuth in most of these cases, unless their strategy for mobile apps is to “wrap” the browser code and content into a native app - in which case more flexible access to that backend can be deferred if desired until there is stronger business need. -DW _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth