OAuth 2.0 Authorization (Single-Page App, authorization response leaks)

This is an analysis of various OAuth flows under the assumption that a Single-Page App is used (having no backend, the website being the OAuth client) and that the access token leaks from the authorization response. We further assume that for authorization codes, PKCE is used.

Security Properties

• Authorization: The attacker cannot use an access token that was issued for another user. (green=true, red=false, grey=unknown)

Rules used

(see labels in graph below)

• AT binding: If a resource server accepts access tokens only from the domain of the client for which the access token was created, and that domain does not contain XSS bugs, and access token binding is used, then the access token, even if stolen by an attacker, cannot be misused.
• PKCE + code: If PKCE is used, a leaked authorization code cannot be used by an attacker.
• Leaked AT: Without access token binding, an attacker can misuse any leaked access token.