OAuth 2.0 implemented directly in browser-based frontend apps (React, Angular, Vue) is fundamentally insecure. Even with mitigations like short-lived access tokens and refresh token rotation, a determined attacker exploiting XSS can steal tokens from storage or silently obtain a fresh authorization code via an iframe-based flow — bypassing all token-hiding strategies. The root problem is that any JavaScript running in the browser, including malicious code, has the same access as the legitimate app. The recommended solution is the Backend for Frontend (BFF) pattern: a thin server-side component that handles all OAuth flows, stores tokens server-side, and communicates with the frontend via secure HttpOnly cookies. This eliminates token theft from the browser and prevents silent flow abuse, reducing the attack surface to the same level as traditional server-side web apps. The BFF requires minimal changes to existing APIs and authorization server config, and open-source/commercial implementations are available.
Sort: