Using Picos to build an OAuth Client


Reporting a proof-of-concept at

It answers the questions:

  1. “How do we get a pico to initiate a front channel communication?”
  2. “How can a pico receive the callback from an authorization server?”
  3. “How could we record the new access token when we need to refresh it?”

Thanks to @burdettadam and @farskipper for many discussions. They each independently suggested the idea used for the third question


During discussion of this in our Picolabs meeting, it became clear that there was a serious flaw. Requiring SPA developers to somehow know which KRL functions to call with /sky/cloud and which to call with /oauth/resource leaks information, with all of the attendant risks. Many thanks to Phil Windley for helping us to understand this.

I have updated the proof-of-concept to outline a more general solution that doesn’t leak information, with a postscript added today