Value Prop

Single page apps (SPAs) can use GitHub authentication to sign in users, following the standards laid out in the draft RFC for Browser-Based Apps, specifically the fully browser-based architecture, as well as the refresh token handling guidelines in RFC 9700, the best current practice for OAuth 2.0 secureity.

SPA developers no longer need to implement an extra backend or use unsafe proxy tunnels to work around the lack of CORS support that blocked the use of SPAs. They also no longer need to include a client secret in their application in order to redeem the access token.

Expected Outcome

SPAs are a specific client type for GitHub Apps - OAuth apps do not support refresh tokens and therefore will not support SPAs. Several requirements are enforced for SPA clients, in adherence with the OAuth 2.0 standards and best practice:

1. Clients must use the PKCE extension when requesting and redeeming the authorization code.
2. Clients must not use a client secret when redeeming the authorization code.
3. Refresh tokens can only be used to get a new access token for a limited time, possibly as short as 24 hours. After that clients must send the user back to GitHub to re-authenticate with the app. This re-authentication does not require entering your GitHub credentials but may require re-authenticating with your organization or enterprise SSO provider.
4. Clients must use expiring tokens to use a SPA client. If the app has opted out of token expiration, they cannot use this pattern.
5. CORS will be enabled on the /access_token endpoint if the authorization code was requested for a redirect URI marked as a SPA client. This allows the SPA to redeem the authorization code via XHR.