Why doesn’t OAuth/OpenID Connect use window.open() and postMessage() instead of redirects
I needed a way to sync user data across multiple domains that I own, so I figured I might as well implement an OAuth server, since others have already spent lots of effort in making sure its design is secure.
But it occurred to me that there are a lot of steps needed to securely deliver the access token to a client. Specifically PKCE and sending a code which can be exchanged for a token, rather than sending the token directly.
So I was wondering why the OAuth spec doesn't recommend that the token gets transferred via window.opener.postMessage() instead. This seems a lot less complex since you don't need a dedicated callback url, and it comes with the benefit that you can call window.close() so the user doesn't end up with multiple tabs and the state of their existing tab isn't lost. On top of that, you can use the targetOrigin parameter of postMessage() to ensure that the token ends up with the exact same domain that requested it in the first place.
Of course this wouldn't hold for server apps, since it would be safer to not send any access token to the client at all in that case, but for SPAs this seems a lot less complex and maybe even more secure.
Either way, this all seems a bit too good to be true to me. If it really was this straight forward, surely OAuth/OpenID Connect would have used this method in their recommendations.
So I was wondering if someone could point out a major reason why this approach couldn't be possible. Is it simply that OAuth/OpenID Connect was created during a time with fewer browser capabilities or is there something obvious I'm missing?
