Browser-Based OAuth Client: The architecture you shouldn't be using

The Browser-Based OAuth Client (BBOC) pattern is considered the least secure OAuth architecture due to its practice of storing tokens in browser storage, exposing them to JavaScript vulnerabilities such as Cross-Site Scripting (XSS) and supply chain attacks. Despite its convenience and prevalence in OAuth provider resources, the Internet Engineering Task Force (IETF) advises against using BBOC for applications handling sensitive or personal data. High-profile security breaches have highlighted the risks associated with BBOC, urging organizations to transition to more secure architectures like Backend-for-Frontend (BFF) or Token-Mediating Backend (TMB). These alternatives enhance security by storing tokens server-side and limiting token exposure to the browser. The IETF's draft for OAuth 2.0 in browser applications recommends best practices such as using the Authorization Code Flow with PKCE and avoiding deprecated methods like the implicit grant. While migration from BBOC to secure architectures can be complex, implementing robust security controls, like short-lived tokens and strong Content Security Policies, can mitigate risks for those unable to transition immediately. However, the ultimate recommendation is to move away from BBOC to ensure compliance with security regulations and to protect against evolving threats.