<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-oauth-browser-based-apps-27" category="bcp" consensus="true" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>OAuth 2.0 for Browser-Based Applications</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-browser-based-apps-27"/>
    <author initials="A." surname="Parecki" fullname="Aaron Parecki">
      <organization>Okta</organization>
      <address>
        <email>aaron@parecki.com</email>
        <uri>https://aaronparecki.com</uri>
      </address>
    </author>
    <author initials="P." surname="De Ryck" fullname="Philippe De Ryck">
      <organization>Pragmatic Web Security</organization>
      <address>
        <email>philippe@pragmaticwebsecurity.com</email>
      </address>
    </author>
    <author initials="D." surname="Waite" fullname="David Waite">
      <organization>Ping Identity</organization>
      <address>
        <email>david@alkaline-solutions.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Web Authorization Protocol</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 121?>

<t>This specification details the threats, attack consequences, security considerations and best practices that must be
taken into account when developing browser-based applications that use OAuth 2.0.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Web Authorization Protocol Working Group mailing list (oauth@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/oauth/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/oauth-wg/oauth-browser-based-apps"/>.</t>
    </note>
  </front>
  <middle>
    <?line 126?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This specification describes different architectural patterns for implementing OAuth 2.0 clients in applications executing in a browser. The specification outlines the security challenges for browser-based applications and analyzes how different patterns can help address some of these challenges.</t>
      <t>This document focuses on JavaScript frontend applications acting as the OAuth client (defined in <xref section="1.1" sectionFormat="of" target="RFC6749"/>), interacting with the authorization server (<xref section="1.1" sectionFormat="of" target="RFC6749"/>) to obtain access tokens and optionally refresh tokens. The client uses the access token to access protected resources on resource servers (<xref section="1.1" sectionFormat="of" target="RFC6749"/>). When using OAuth, the client, authorization server, and resource servers are all considered independent parties, regardless of whether each is owned or operated by the same entity.</t>
      <t>Note that many web applications consist of a frontend and API running on a common domain, allowing for an architecture that does not rely on OAuth 2.0. This is described in more detail in <xref target="single-domain-apps"/> Such scenarios can rely on OpenID Connect <xref target="OpenID"/> for federated user authentication, after which the application maintains the user's authentication state. Such a scenario, (which only uses OAuth 2.0 as the underlying specification of OpenID Connect), is not within scope of this specification.</t>
      <t>For native application developers using OAuth 2.0 and OpenID Connect, an IETF BCP
(best current practice) was published that guides integration of these technologies.
This document is formally known as <xref target="RFC8252"/> or BCP212, but often referred to as "AppAuth" after
the OpenID Foundation-sponsored set of libraries that assist developers in adopting
these practices. <xref target="RFC8252"/> makes specific recommendations for how to securely implement OAuth clients in native
applications, including incorporating additional OAuth extensions where needed.</t>
      <t>This specification, OAuth 2.0 for Browser-Based Applications, highlights how the security properties of browser-based applications are vastly different than those of native applications, as well as addresses the similarities between implementing OAuth clients as native applications and browser-based applications. This document is primarily focused on OAuth, except where OpenID Connect provides additional considerations.</t>
      <t>Many of these recommendations are derived from the Best Current Practice for OAuth 2.0 Security
<xref target="RFC9700"/>, as browser-based applications are expected to follow those recommendations
as well. This document expands on and further restricts various recommendations given in <xref target="RFC9700"/>.</t>
    </section>
    <section anchor="notational-conventions">
      <name>Notational Conventions</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>This specification uses the terms "access token", "authorization endpoint", "authorization grant", "authorization server", "client", "client identifier" (client ID), "protected resource", "refresh token", "resource owner", "resource server", and "token endpoint" defined by OAuth 2.0 <xref target="RFC6749"/>, and "bearer token" defined by <xref target="RFC6750"/>.</t>
      <t>In addition to the terms defined in referenced specifications, this document uses
the following terms:</t>
      <dl>
        <dt>"OAuth":</dt>
        <dd>
          <t>In this document, "OAuth" refers to OAuth 2.0, <xref target="RFC6749"/> and <xref target="RFC6750"/>.</t>
        </dd>
        <dt>"Browser-based application":</dt>
        <dd>
          <t>An application that is dynamically downloaded and executed in a web browser,
usually written in JavaScript. Also sometimes referred to as a "single-page application", or "SPA".</t>
        </dd>
      </dl>
      <t>This document discusses the security of browser-based applications, which are executed by the browser in a runtime environment. In most scenarios, these applications are JavaScript (JS) applications running in a JavaScript execution environment. Given the popularity of this scenario, this document uses the term "JavaScript" to refer to all mechanisms that allow code to execute in the application's runtime in the browser. The recommendations and considerations in this document are not exclusively linked to the JavaScript language or its runtime, but also apply to other languages and runtime environments in the browser, such as Web Assembly (<xref target="W3C.wasm-core-2"/>).</t>
      <dl>
        <dt>"PKCE":</dt>
        <dd>
          <t>Proof Key for Code Exchange (PKCE) <xref target="RFC7636"/>, a mechanism
to prevent various attacks on OAuth authorization codes.</t>
        </dd>
        <dt>"DPoP":</dt>
        <dd>
          <t>OAuth 2.0 Demonstrating of Proof of Possession (DPoP) <xref target="RFC9449"/> is a mechanism to restrict access tokens to be used only by the client they were issued to.</t>
        </dd>
        <dt>"CORS":</dt>
        <dd>
          <t>Cross-Origin Resource Sharing <xref target="Fetch"/>, a mechanism that enables exceptions to the browser's same-origin policy.</t>
        </dd>
        <dt>"CSP":</dt>
        <dd>
          <t>Content Security Policy <xref target="W3C.CSP3"/>, a mechanism of restricting which resources a particular web page can fetch or execute.</t>
        </dd>
      </dl>
    </section>
    <section anchor="history-of-oauth-20-in-browser-based-applications">
      <name>History of OAuth 2.0 in Browser-Based Applications</name>
      <t>At the time that OAuth 2.0 was initially specified in <xref target="RFC6749"/> and <xref target="RFC6750"/>, browser-based JavaScript applications needed a solution that strictly complied with the same-origin policy. Common deployments of OAuth 2.0 involved an application running on a different domain than the authorization server, so it was historically not possible to use the Authorization Code grant type (<xref section="4.1" sectionFormat="of" target="RFC6749"/>) which would require a cross-origin POST request. This limitation was one of the motivations for the definition of the Implicit flow (<xref section="4.2" sectionFormat="of" target="RFC6749"/>), which returns the access token in the front channel via the fragment part of the URL, bypassing the need for a cross-origin POST request.</t>
      <t>However, there are several drawbacks to the Implicit flow, generally involving vulnerabilities associated with the exposure of the access token in the URL. See <xref target="implicit_flow"/> for an analysis of these attacks and the drawbacks of using the Implicit flow in browsers. Additional attacks and security considerations can be found in <xref target="RFC9700"/>.</t>
      <t>In modern web development, widespread adoption of Cross-Origin Resource Sharing (CORS) <xref target="Fetch"/> (which enables exceptions to the same-origin policy) allows browser-based applications to use the OAuth 2.0 Authorization Code flow and make a POST request to exchange the authorization code for an access token at the token endpoint. Since the Authorization Code grant type enables the use of refresh tokens, this behavior has been adopted for browser-based clients as well, even though these clients are still public clients (defined in <xref section="2.1" sectionFormat="of" target="RFC6749"/>) with limited to no access to secure storage. Furthermore, adding Proof Key for Code Exchange (PKCE) <xref target="RFC7636"/> to the flow prevents authorization code injection, as well as ensures that even if an authorization code is intercepted, it is unusable by an attacker.</t>
      <t>For this reason, and from other lessons learned, the current best practice for browser-based applications is to use the OAuth 2.0 Authorization Code grant type with PKCE. There are various architectural patterns for deploying browser-based applications, both with and without a corresponding server-side component. Each of these architectures has specific trade-offs and considerations which are discussed further in this document. Additional considerations apply for first-party common-domain applications.</t>
    </section>
    <section anchor="threats">
      <name>The Threat of Malicious JavaScript</name>
      <t>Malicious JavaScript poses a significant risk to browser-based applications. Attack vectors, such as cross-site scripting (XSS) or the compromise of remote code files, give an attacker the capability to run arbitrary code in the application's execution context. This malicious code is not isolated from the main application's code in any way. Consequentially, the malicious code can not only take control of the running execution context, but can also perform actions within the application's origin. Concretely, this means that the malicious code can steal data from the current page, interact with other same-origin browsing contexts, send requests to a backend from within the application's origin, steal data from origin-based storage mechanisms (e.g., localStorage, IndexedDB), etc.</t>
      <t>First and foremost, it is crucial to take proactive measures to avoid the attacker from gaining a foothold in the first place. Doing so involves, but is not limited to:</t>
      <ul spacing="normal">
        <li>
          <t>Strictly applying context-sensitive output encoding and sanitization when handling untrusted data</t>
        </li>
        <li>
          <t>Limiting or avoiding the loading of unchecked third-party resources</t>
        </li>
        <li>
          <t>Using Subresource Integrity <xref target="W3C.SRI"/> to restrict valid scripts that can be loaded</t>
        </li>
        <li>
          <t>Using a nonce-based or hash-based Content Security Policy <xref target="W3C.CSP3"/> to prevent the execution of unauthorized script code</t>
        </li>
        <li>
          <t>Using origin isolation and HTML5 sandboxing to create boundaries between different parts of the application</t>
        </li>
      </ul>
      <t>Further recommendations can be found in the OWASP Cheat Sheet series <xref target="OWASPCheatSheet"/>.</t>
      <t>Unfortunately, history shows that even when applying these security guidelines, there remains a risk that the attacker finds a way to trigger the execution of malicious JavaScript. When analyzing the security of browser-based applications in light of the presence of malicious JS, it is crucial to realize that the <strong>malicious JavaScript code has the same privileges as the legitimate application code</strong>. All JS applications are exposed to this risk in some degree.</t>
      <t>Applications might obtain OAuth tokens that confer authorization
necessary to their functioning. In combination, this effectively gives
compromised code the ability to use that authorization for malicious ends.
Though the risk of attacker abuse of authorization is unavoidable, there are
ways to limit the extent to which a compromised application can abuse that
authorization. For instance, this access might be limited to times when the
application is in active use, by limiting the type of tokens that might be obtained, or by binding
the tokens to the browser.</t>
      <t>When the legitimate application code can access variables or call functions, the malicious JS code can do exactly the same. Furthermore, the malicious JS code can tamper with the regular execution flow of the application, as well as with any application-level defenses, since they are typically controlled from within the application. For example, the attacker can remove or override event listeners, modify the behavior of built-in functions (prototype pollution), and stop pages in frames from loading.</t>
      <t>The impact of malicious JavaScript on browser-based applications is a widely studied and well-understood topic. However, the concrete impact of malicious JavaScript on browser-based applications acting as an OAuth client is quite unique, since the malicious JavaScript can now impact the interactions during an OAuth flow. This section explores the threats malicious JS code poses to a browser-based application with the responsibilities of an OAuth client. <xref target="attackscenarios"/> discusses a few scenarios that attackers can use once they have found a way to run malicious JavaScript code. These scenarios paint a clear picture of the true power of the attacker, which goes way beyond simple token exfiltration. <xref target="consequences"/> analyzes the impact of these attack scenarios on the OAuth client.</t>
      <t>The remainder of this specification will refer back to these attack scenarios and consequences to analyze the security properties of the different architectural patterns.</t>
      <section anchor="attackscenarios">
        <name>Attack Scenarios</name>
        <t>This section presents several attack scenarios that an attacker can execute once they have found a vulnerability that allows the execution of malicious JavaScript code. The attack scenarios include trivial scenarios (<xref target="scenario-single-theft"/>) and elaborate scenarios (<xref target="scenario-new-flow"/>). Note that this enumeration is non-exhaustive, narrowly scoped to OAuth-specific features, and presented in no particular order.</t>
        <section anchor="scenario-single-theft">
          <name>Single-Execution Token Theft</name>
          <t>This scenario covers a simple token exfiltration attack, where the attacker obtains and exfiltrates the client's current tokens. This scenario consists of the following steps:</t>
          <ul spacing="normal">
            <li>
              <t>Execute malicious JS code</t>
            </li>
            <li>
              <t>Obtain tokens from the application's preferred storage mechanism (See <xref target="token-storage"/>)</t>
            </li>
            <li>
              <t>Send the tokens to a server controlled by the attacker</t>
            </li>
            <li>
              <t>Store or abuse the stolen tokens</t>
            </li>
          </ul>
          <t>The recommended defensive strategy to decrease the risk associated with a compromised access tokens is to reduce the scope and lifetime of the token. For refresh tokens, the use of refresh token rotation (as defined in <xref section="4.14.2" sectionFormat="of" target="RFC9700"/>) offers a detection and correction mechanism. Sender-constrained tokens (<xref target="sender-constrained-tokens"/>) offer an additional layer of protection against stolen access tokens.</t>
          <t>Note that this attack scenario is trivial and often used to illustrate the dangers of malicious JavaScript. When discussing the security of browser-based applications, it is crucial to avoid limiting the attacker's capabilities to the attack discussed in this scenario.</t>
        </section>
        <section anchor="scenario-persistent-theft">
          <name>Persistent Token Theft</name>
          <t>This attack scenario is a more advanced variation on the Single-Execution Token Theft scenario (<xref target="scenario-single-theft"/>). Instead of immediately stealing tokens upon the execution of the malicious code, the attacker sets up the necessary handlers to steal the application's tokens on a continuous basis. This scenario consists of the following steps:</t>
          <ul spacing="normal">
            <li>
              <t>Execute malicious JS code</t>
            </li>
            <li>
              <t>Setup a continuous token theft mechanism (e.g., on a 10-second time interval)
              </t>
              <ul spacing="normal">
                <li>
                  <t>Obtain tokens from the application's preferred storage mechanism (See <xref target="token-storage"/>)</t>
                </li>
                <li>
                  <t>Send the tokens to a server controlled by the attacker</t>
                </li>
                <li>
                  <t>Store the tokens</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Wait until the opportune moment to abuse the latest version of the stolen tokens</t>
            </li>
          </ul>
          <t>The crucial difference in this scenario is that the attacker always has access to the latest tokens used by the application. This slight variation in the attack scenario already suffices to counter typical defenses against token theft, such as short lifetimes or refresh token rotation.</t>
          <t>For access tokens, the attacker now obtains the latest access token for as long as the user's browser is online. Refresh token rotation is not sufficient to prevent abuse of a refresh token. An attacker can easily ensure that the application will not use the latest refresh token. For example, the attacker could clear the application's tokens after stealing them, wait until the user closes the application, or wait until the user's browser goes offline. Since the application will not use the latest refresh token, there will be no detectable refresh token reuse, giving the attacker full control over the stolen refresh token.</t>
        </section>
        <section anchor="scenario-new-flow">
          <name>Acquisition and Extraction of New Tokens</name>
          <t>In this advanced attack scenario, the attacker completely disregards any tokens that the application has already obtained. Instead, the attacker takes advantage of the ability to run malicious code that is associated with the application's origin. With that ability, the attacker can inject a hidden iframe and launch a silent Authorization Code flow. This silent flow will reuse the user's existing session with the authorization server and result in the issuing of a new, independent access token (and optionally refresh token). This scenario consists of the following steps:</t>
          <ul spacing="normal">
            <li>
              <t>Execute malicious JS code</t>
            </li>
            <li>
              <t>Set up a handler to obtain the authorization code from the iframe (e.g., by monitoring the frame's URL or via Web Messaging <xref target="WebMessaging"/>)</t>
            </li>
            <li>
              <t>Insert a hidden iframe into the page and initialize it with an authorization request. The authorization request in the iframe will occur within the user's session and, if the session is still active, result in the issuing of an authorization code. Note that this step relies on the Authorization Server supporting silent frame-based flows, as discussed in the last paragraph of this scenario.</t>
            </li>
            <li>
              <t>Extract the authorization code from the iframe using the previously installed handler</t>
            </li>
            <li>
              <t>Send the authorization code to a server controlled by the attacker</t>
            </li>
            <li>
              <t>Exchange the authorization code for a new set of tokens</t>
            </li>
            <li>
              <t>Abuse the stolen tokens</t>
            </li>
          </ul>
          <t>The most important takeaway from this scenario is that it runs a new OAuth flow instead of focusing on stealing existing tokens. In essence, even if the application finds a token storage mechanism that is able to completely isolate the stored tokens from the attacker, the attacker will still be able to request a new set of tokens. Note that because the attacker controls the application in the browser, the attacker's Authorization Code flow is indistinguishable from a legitimate Authorization Code flow.</t>
          <t>This attack scenario is possible because the security of public browser-based OAuth clients relies entirely on the redirect URI and application's origin. When the attacker executes malicious JavaScript code in the application's origin, they gain the capability to inspect same-origin frames. As a result, the attacker's code running in the main execution context can inspect the redirect URI loaded in the same-origin frame to extract the authorization code.</t>
          <t>There are no practical security mechanisms for frontend applications that counter this attack scenario. Short access token lifetimes and refresh token rotation are ineffective, since the attacker has a fresh, independent set of tokens. Advanced security mechanism, such as DPoP <xref target="RFC9449"/> are equally ineffective, since the attacker can use their own key pair to setup and use DPoP for the newly obtained tokens. Requiring user interaction with every Authorization Code flow would effectively stop the automatic silent issuance of new tokens, but this would significantly impact widely-established patterns, such as bootstrapping an application on its first page load, or single sign-on across multiple related applications, and is not a practical measure.</t>
        </section>
        <section anchor="scenario-proxy">
          <name>Proxying Requests via the User's Browser</name>
          <t>This attack scenario involves the attacker sending requests to the OAuth resource server directly from within the OAuth client application running in the user's browser. In this scenario, there is no need for the attacker to abuse the application to obtain tokens, since the browser will include its own cookies or tokens along in the request. The requests to the resource server sent by the attacker are indistinguishable from requests sent by the legitimate application, since the attacker is running code in the same context as the legitimate application. This scenario consists of the following steps:</t>
          <ul spacing="normal">
            <li>
              <t>Execute malicious JS code</t>
            </li>
            <li>
              <t>Send a request to a resource server and process the response</t>
            </li>
          </ul>
          <t>To authorize the requests to the resource server, the attacker simply mimics the behavior of the client application. For example, when a client application programmatically attaches an access token to outgoing requests, the attacker does the same. Should the client application rely on an external component to augment the request with the proper access token, then this external component will also augment the attacker's request.</t>
          <t>This attack pattern is well-known and also occurs with traditional applications using <tt>HttpOnly</tt> session cookies. It is commonly accepted that this scenario cannot be stopped or prevented by application-level security measures. For example, DPoP <xref target="RFC9449"/> explicitly considers this attack scenario to be out of scope.</t>
        </section>
      </section>
      <section anchor="consequences">
        <name>Attack Consequences</name>
        <t>Successful execution of an attack scenario can result in the theft of access tokens and refresh tokens, or in the ability to hijack the client application running in the user's browser. Each of these consequences is relevant for browser-based OAuth clients. They are discussed below in decreasing order of severity.</t>
        <section anchor="consequence-rt">
          <name>Exploiting Stolen Refresh Tokens</name>
          <t>When the attacker obtains a valid refresh token from a browser-based OAuth client, they can abuse the refresh token by running a Refresh Token grant with the authorization server. The response of the Refresh Token grant contains an access token, which gives the attacker the ability to access protected resources (See <xref target="consequence-at"/>). In essence, abusing a stolen refresh token enables long-term impersonation of the legitimate client application to resource servers.</t>
          <t>The attack is only stopped when the authorization server refuses a refresh token because it has expired or rotated, or when the refresh token is revoked. In a typical browser-based OAuth client, it is not uncommon for a refresh token to remain valid for multiple hours, or even days.</t>
        </section>
        <section anchor="consequence-at">
          <name>Exploiting Stolen Access Tokens</name>
          <t>If the attacker obtains a valid access token, they gain the ability to impersonate the legitimate client application in a request to a resource server. Concretely, possession of an access token allows the attacker to send arbitrary requests to any resource server that accepts the valid access token. In essence, abusing a stolen access token enables short-term impersonation of the legitimate client application to resource servers.</t>
          <t>The attack ends when the access token expires or when a token is revoked with the authorization server. In a typical browser-based OAuth client, access token lifetimes can be quite short, ranging from minutes to hours.</t>
          <t>Note that the possession of the access token allows its unrestricted use by the attacker. The attacker can send arbitrary requests to resource servers, using any HTTP method, destination URL, header values, or body.</t>
          <t>The application can use DPoP to ensure its access tokens are bound to non-exportable keys held by the browser. In that case, it becomes significantly harder for the attacker to abuse stolen access tokens. More specifically, with DPoP, the attacker can only abuse stolen application tokens by carrying out an online attack, where the proofs are calculated in the user's browser. This attack is described in detail in <xref section="11.4" sectionFormat="of" target="RFC9449"/>. However, when the attacker obtains a fresh access token (and optionally refresh token), as described in <xref target="scenario-new-flow"/>, they can set up DPoP for these tokens using an attacker-controlled key pair. In that case, the attacker is again free to abuse this newly obtained access token without restrictions.</t>
        </section>
        <section anchor="consequence-hijack">
          <name>Client Hijacking</name>
          <t>When stealing tokens is not possible or desirable, the attacker can also choose to hijack the OAuth client application running in the user's browser. This effectively allows the attacker to perform any operations that the legitimate client application can perform. Examples include inspecting data on the page, modifying the page, and sending requests to backend systems. Alternatively, the attacker can also abuse their access to the application to launch additional attacks, such as tricking the client into acting on behalf of the attacker using an attack such as session fixation (<xref target="SessionFixation"/>).</t>
          <t>Note that client hijacking is less powerful than directly abusing stolen user tokens. In a client hijacking scenario, the attacker cannot directly control the tokens and is restricted by the security policies enforced on the client application. For example, a resource server running on <tt>admin.example.org</tt> can be configured with a CORS policy that rejects requests coming from a client running on <tt>web.example.org</tt>. Even if the access token used by the client would be accepted by the resource server, the resource server's strict CORS configuration does not allow such a request. A resource server without such a strict CORS policy can still be subject to adversarial requests coming from the compromised client application.</t>
        </section>
      </section>
    </section>
    <section anchor="application-architecture-patterns">
      <name>Application Architecture Patterns</name>
      <t>There are three main architectural patterns available when building browser-based applications that rely on OAuth for accessing protected resources.</t>
      <ul spacing="normal">
        <li>
          <t>A browser-based application that relies on a backend component for handling OAuth responsibilities and forwards all requests through the backend component (Backend-For-Frontend or BFF)</t>
        </li>
        <li>
          <t>A browser-based application that relies on a backend component for handling OAuth responsibilities, but calls resource servers directly using the access token (Token-Mediating Backend)</t>
        </li>
        <li>
          <t>A browser-based application acting as the client, handling all OAuth responsibilities in the browser (Browser-based OAuth Client)</t>
        </li>
      </ul>
      <t>Each of these architectural patterns offers a different trade-off between security and simplicity. The patterns in this section are presented in decreasing order of security.</t>
      <section anchor="pattern-bff">
        <name>Backend For Frontend (BFF)</name>
        <t>This section describes the architecture of a browser-based application that relies on a backend component to handle all OAuth responsibilities and API interactions. The BFF has three core responsibilities:</t>
        <ol spacing="normal" type="1"><li>
            <t>The BFF interacts with the authorization server as a confidential OAuth client (as defined in <xref section="2.1" sectionFormat="of" target="RFC6749"/>)</t>
          </li>
          <li>
            <t>The BFF manages OAuth access and refresh tokens in the context of a cookie-based session, avoiding the direct exposure of any tokens to the browser-based application</t>
          </li>
          <li>
            <t>The BFF forwards all requests to a resource server, augmenting them with the correct access token before forwarding them to the resource server</t>
          </li>
        </ol>
        <t>In this architecture, the BFF runs as a server-side component, but it is a component of the frontend application. To avoid confusion with other architectural concepts, such as API gateways and reverse proxies, it is important to keep in mind that the BFF becomes the OAuth client for the frontend application.</t>
        <t>If an attacker is able to execute malicious code within the browser-based application, the application architecture is able to withstand most of the attack scenarios discussed before. Since tokens are only available to the BFF, there are no tokens available to extract from the browser (Single-Execution Token Theft (<xref target="scenario-single-theft"/>) and Persistent Token Theft (<xref target="scenario-persistent-theft"/>)). The BFF is a confidential client, which prevents the attacker from running a new flow within the browser (Acquisition and Extraction of New Tokens (<xref target="scenario-new-flow"/>)). Since the malicious browser-based code still runs within the application's origin, the attacker is able to send requests to the BFF from within the user's browser (Proxying Requests via the User's Browser (<xref target="scenario-proxy"/>)). Note that the use of HttpOnly cookies prevents the attacker from directly accessing the session state, which prevents the escalation from client hijacking to session hijacking.</t>
        <section anchor="application-architecture">
          <name>Application Architecture</name>
          <figure anchor="fig-bbapp-pattern-bff">
            <name>OAuth 2.0 BFF Pattern</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="448" width="576" viewBox="0 0 576 448" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,368 L 8,432" fill="none" stroke="black"/>
                  <path d="M 152,368 L 152,432" fill="none" stroke="black"/>
                  <path d="M 184,32 L 184,112" fill="none" stroke="black"/>
                  <path d="M 232,368 L 232,432" fill="none" stroke="black"/>
                  <path d="M 256,144 L 256,336" fill="none" stroke="black"/>
                  <path d="M 288,208 L 288,272" fill="none" stroke="black"/>
                  <path d="M 312,32 L 312,112" fill="none" stroke="black"/>
                  <path d="M 320,304 L 320,336" fill="none" stroke="black"/>
                  <path d="M 368,32 L 368,112" fill="none" stroke="black"/>
                  <path d="M 368,304 L 368,336" fill="none" stroke="black"/>
                  <path d="M 416,144 L 416,176" fill="none" stroke="black"/>
                  <path d="M 416,304 L 416,336" fill="none" stroke="black"/>
                  <path d="M 456,32 L 456,112" fill="none" stroke="black"/>
                  <path d="M 464,304 L 464,336" fill="none" stroke="black"/>
                  <path d="M 480,32 L 480,112" fill="none" stroke="black"/>
                  <path d="M 512,304 L 512,336" fill="none" stroke="black"/>
                  <path d="M 520,144 L 520,176" fill="none" stroke="black"/>
                  <path d="M 536,208 L 536,272" fill="none" stroke="black"/>
                  <path d="M 536,304 L 536,336" fill="none" stroke="black"/>
                  <path d="M 568,32 L 568,112" fill="none" stroke="black"/>
                  <path d="M 568,368 L 568,432" fill="none" stroke="black"/>
                  <path d="M 184,32 L 312,32" fill="none" stroke="black"/>
                  <path d="M 368,32 L 456,32" fill="none" stroke="black"/>
                  <path d="M 480,32 L 568,32" fill="none" stroke="black"/>
                  <path d="M 184,112 L 312,112" fill="none" stroke="black"/>
                  <path d="M 368,112 L 456,112" fill="none" stroke="black"/>
                  <path d="M 480,112 L 568,112" fill="none" stroke="black"/>
                  <path d="M 288,208 L 536,208" fill="none" stroke="black"/>
                  <path d="M 288,272 L 536,272" fill="none" stroke="black"/>
                  <path d="M 8,368 L 152,368" fill="none" stroke="black"/>
                  <path d="M 232,368 L 568,368" fill="none" stroke="black"/>
                  <path d="M 168,400 L 216,400" fill="none" stroke="black"/>
                  <path d="M 8,432 L 152,432" fill="none" stroke="black"/>
                  <path d="M 232,432 L 568,432" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="544,336 532,330.4 532,341.6" fill="black" transform="rotate(90,536,336)"/>
                  <polygon class="arrowhead" points="528,176 516,170.4 516,181.6" fill="black" transform="rotate(90,520,176)"/>
                  <polygon class="arrowhead" points="528,144 516,138.4 516,149.6" fill="black" transform="rotate(270,520,144)"/>
                  <polygon class="arrowhead" points="520,304 508,298.4 508,309.6" fill="black" transform="rotate(270,512,304)"/>
                  <polygon class="arrowhead" points="472,336 460,330.4 460,341.6" fill="black" transform="rotate(90,464,336)"/>
                  <polygon class="arrowhead" points="424,304 412,298.4 412,309.6" fill="black" transform="rotate(270,416,304)"/>
                  <polygon class="arrowhead" points="424,176 412,170.4 412,181.6" fill="black" transform="rotate(90,416,176)"/>
                  <polygon class="arrowhead" points="424,144 412,138.4 412,149.6" fill="black" transform="rotate(270,416,144)"/>
                  <polygon class="arrowhead" points="376,336 364,330.4 364,341.6" fill="black" transform="rotate(90,368,336)"/>
                  <polygon class="arrowhead" points="376,304 364,298.4 364,309.6" fill="black" transform="rotate(270,368,304)"/>
                  <polygon class="arrowhead" points="328,336 316,330.4 316,341.6" fill="black" transform="rotate(90,320,336)"/>
                  <polygon class="arrowhead" points="328,304 316,298.4 316,309.6" fill="black" transform="rotate(270,320,304)"/>
                  <polygon class="arrowhead" points="264,336 252,330.4 252,341.6" fill="black" transform="rotate(90,256,336)"/>
                  <polygon class="arrowhead" points="264,144 252,138.4 252,149.6" fill="black" transform="rotate(270,256,144)"/>
                  <polygon class="arrowhead" points="224,400 212,394.4 212,405.6" fill="black" transform="rotate(0,216,400)"/>
                  <g class="text">
                    <text x="248" y="68">Authorization</text>
                    <text x="408" y="68">Token</text>
                    <text x="524" y="68">Resource</text>
                    <text x="244" y="84">Endpoint</text>
                    <text x="412" y="84">Endpoint</text>
                    <text x="524" y="84">Server</text>
                    <text x="400" y="164">(F)</text>
                    <text x="504" y="164">(K)</text>
                    <text x="336" y="244">Backend</text>
                    <text x="384" y="244">for</text>
                    <text x="436" y="244">Frontend</text>
                    <text x="496" y="244">(BFF)</text>
                    <text x="240" y="260">(D)</text>
                    <text x="296" y="324">(B,I)</text>
                    <text x="352" y="324">(C)</text>
                    <text x="400" y="324">(E)</text>
                    <text x="448" y="324">(G)</text>
                    <text x="496" y="324">(J)</text>
                    <text x="552" y="324">(L)</text>
                    <text x="192" y="388">(A,H)</text>
                    <text x="44" y="404">Static</text>
                    <text x="88" y="404">Web</text>
                    <text x="124" y="404">Host</text>
                    <text x="400" y="404">Browser</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
                      +---------------+      +----------+  +----------+
                      |               |      |          |  |          |
                      | Authorization |      |  Token   |  | Resource |
                      |   Endpoint    |      | Endpoint |  |  Server  |
                      |               |      |          |  |          |
                      +---------------+      +----------+  +----------+

                               ^                   ^            ^
                               |                (F)|         (K)|
                               |                   v            v
                               |
                               |   +------------------------------+
                               |   |                              |
                               |   |  Backend for Frontend (BFF)  |
                            (D)|   |                              |
                               |   +------------------------------+
                               |
                               |       ^     ^     ^     +     ^  +
                               |  (B,I)|  (C)|  (E)|  (G)|  (J)|  |(L)
                               v       v     v     +     v     +  v

+-----------------+         +-----------------------------------------+
|                 |  (A,H)  |                                         |
| Static Web Host | +-----> |                 Browser                 |
|                 |         |                                         |
+-----------------+         +-----------------------------------------+
]]></artwork>
            </artset>
          </figure>
          <t>In this architecture, the browser code (typically JavaScript) is first loaded from a static web host into the browser (A), and the application then runs in the browser. The application checks with the BFF if there is an active session by calling a "check session" API endpoint (B). If an active session is found, the application resumes its authenticated state and skips forward to step J.</t>
          <t>When no active session is found, the browser-based application triggers a navigation to the BFF (C) to initiate the Authorization Code flow with the PKCE
extension (described in <xref target="pattern-bff-flow"/>), to which the BFF responds by redirecting the browser to the authorization endpoint (D). When the user is redirected back, the browser delivers the authorization code to the BFF (E), where the BFF can then exchange it for tokens at the token endpoint (F) using its client credentials and PKCE code verifier.</t>
          <t>The BFF associates the obtained tokens with the user's session (See <xref target="pattern-bff-sessions"/>) and sets a cookie in the response to keep track of this session (G). At this point, the redirect-based Authorization Code flow has been completed, so the BFF can hand control back to the frontend application. It does so by including a redirect in the response (G), triggering the browser to fetch the frontend from the server (H). Note that step (H) is identical to step (A), which likely means that the requested resources can be loaded from the browser's cache. When the frontend loads, it will check with the BFF for an existing session (I), allowing the application to resume its authenticated state.</t>
          <t>When the application in the browser wants to make a request to the resource server, it sends a request to the corresponding endpoint on the BFF (J). This request will include the cookie set in step G, allowing the BFF to obtain the proper tokens for this user's session. The BFF removes the cookie from the request, attaches the user's access token to the request, and forwards it to the actual resource server (K). The BFF then forwards the response back to the browser-based application (L).</t>
        </section>
        <section anchor="implementation-details">
          <name>Implementation Details</name>
          <section anchor="bff_endpoints">
            <name>Session and OAuth Endpoints</name>
            <t>The BFF provides a set of endpoints that are crucial to implement the interactions between the browser-based application and the BFF. This section discusses these endpoints in a bit more detail to clarify their purpose and use cases.</t>
            <t>The "check session" endpoint (Steps B and I in the diagram above) is an API endpoint called by the browser-based application. The request will carry session information when available, allowing the BFF to check for an active session. The response should indicate to the browser-based application whether the session is active. Additionally, the BFF can include other information, such as identity information about the authenticated user.</t>
            <t>The endpoint that initiates the Authorization Code flow (step C) is contacted by the browser through a navigation. When the application detects an unauthenticated state after checking the session (step B), it can navigate the browser to this endpoint. Doing so allows the BFF to respond with a redirect, which takes the browser to the authorization server. The endpoint to initiate this flow is typically included as the "login" endpoint by libraries that support OAuth 2.0 for confidential clients running on a web server. Note that it is also possible for the BFF to initiate the Authorization Code flow in step B, when it detects the absence of an active session. In that case, the BFF would return the authorization URI in the response and expect the application to trigger a navigation event with this URI. However, this scenario requires a custom implementation and makes it harder to use standard OAuth libraries.</t>
            <t>The endpoint that receives the authorization code (step E) is called by a navigation event from within the browser. At this point, the application is not loaded and not in a position to handle the redirect. Similar to the initiation of the flow, the endpoint to handle the redirect is offered by standard OAuth libraries. The BFF can respond to this request with a redirect that triggers the browser to load the application.</t>
            <t>Finally, the BFF can also offer a "logout" endpoint to the application, which is not depicted in the diagram above. The exact behavior of the logout endpoint depends on the application requirements. Note that standard OAuth libraries typically also offer an implementation of the "logout" endpoint.</t>
          </section>
          <section anchor="refresh-tokens">
            <name>Refresh Tokens</name>
            <t>When using refresh tokens, as described in <xref section="4.14" sectionFormat="of" target="RFC9700"/>, the BFF obtains the refresh token (step F) and associates it with the user's session.</t>
            <t>If the BFF notices that the user's access token has expired and the BFF has a refresh token, it can use the refresh token to obtain a fresh access token. Since the BFF OAuth client is a confidential client, it will use client authentication on the refresh token request. Typically, the BFF performs these steps inline when handling an API call from the frontend. In that case, these steps, which are not explicitly shown on the diagram, would occur between steps J and K. BFFs that keep all token information available on the server side can also request fresh access tokens when they observe a token expiration event to increase the performance of API requests.</t>
            <t>When the refresh token expires, there is no way to obtain a valid access token without running an entirely new Authorization Code flow. Therefore, it makes sense to configure the lifetime of the cookie-based session managed by the BFF to be equal to the maximum lifetime of the refresh token. Additionally, when the BFF learns that a refresh token for an active session is no longer valid, it also makes sense to invalidate the session.</t>
          </section>
          <section anchor="pattern-bff-sessions">
            <name>Cookie-based Session State</name>
            <t>The BFF relies on browser cookies (<xref target="I-D.ietf-httpbis-rfc6265bis"/>) to keep track of the user's session, which is used to access the user's tokens. Cookie-based sessions, both server-side and client-side, have some downsides.</t>
            <t>Server-side sessions expose only a session identifier and keep all data on the server. Doing so ensures a great level of control over active sessions, along with the possibility to revoke any session at will. The downside of this approach is the impact on scalability, requiring solutions such as "sticky sessions", or "session replication". Given these downsides, using server-side sessions with a BFF is only recommended in small-scale scenarios.</t>
            <t>Client-side sessions push all data to the browser in a signed, and optionally encrypted, object. This pattern absolves the server of keeping track of any session data, but severely limits control over active sessions and makes it difficult to handle session revocation. However, when client-side sessions are used in the context of a BFF, these properties change significantly. Since the cookie-based session is only used to obtain a user's tokens, all control and revocation properties follow from the use of access tokens and refresh tokens. It suffices to revoke the user's access token and/or refresh token to prevent ongoing access to protected resources, without the need to explicitly invalidate the cookie-based session.</t>
            <t>Best practices to secure the session cookie are discussed in <xref target="pattern-bff-cookie-security"/>.</t>
          </section>
          <section anchor="pattern-bff-oidc">
            <name>Combining OAuth and OpenID Connect</name>
            <t>The OAuth flow used by this application architecture can be combined with OpenID Connect by including the necessary OpenID Connect scopes in the authorization request (C) (At least the scope <tt>openid</tt> as defined in Section 3.1.2.1 of <xref target="OpenID"/>). In that case, the BFF will receive an ID Token in step F. The BFF can associate the information from the ID Token with the user's session and provide it to the application in step B or I.</t>
            <t>When needed, the BFF can use the access token associated with the user's session to make requests to the UserInfo endpoint.</t>
          </section>
          <section anchor="practical-deployment-strategies">
            <name>Practical Deployment Strategies</name>
            <t>Serving the static JavaScript code is a separate responsibility from handling OAuth tokens and forwarding requests. In the diagram presented above, the BFF and static web host are shown as two separate entities. In real-world deployments, these components can be deployed as a single service (i.e., the BFF serving the static JS code), as two separate services (i.e., a CDN and a BFF), or as two components in a single service (i.e., static hosting and serverless functions on a cloud platform).</t>
            <t>Note that it is possible to further customize this architecture to tailor to specific scenarios. For example, an application relying on both internal and external resource servers can choose to host the internal resource server alongside the BFF. In that scenario, requests to the internal resource server are handled directly at the BFF, without the need to forward requests over the network. Authorization from the point of view of the resource server does not change, as the user's session is internally translated to the access token and its claims.</t>
          </section>
        </section>
        <section anchor="security-considerations">
          <name>Security Considerations</name>
          <section anchor="pattern-bff-flow">
            <name>The Authorization Code Grant</name>
            <t>The main benefit of using a BFF is the BFF's ability to act as a confidential client. Therefore, the BFF MUST act as a confidential client by establishing credentials with the authorization server. Furthermore, the BFF MUST use the OAuth 2.0 Authorization Code grant as described in <xref section="2.1.1" sectionFormat="of" target="RFC9700"/> to initiate a request for an access token.</t>
          </section>
          <section anchor="pattern-bff-cookie-security">
            <name>Cookie Security</name>
            <t>The BFF uses cookies to create a user session, which is directly associated with the user's tokens, either through server-side or client-side session state. Given the sensitive nature of these cookies, they must be properly protected.</t>
            <t>The following cookie security guidelines are relevant for this particular BFF architecture:</t>
            <ul spacing="normal">
              <li>
                <t>The BFF MUST enable the <tt>Secure</tt> flag for its cookies</t>
              </li>
              <li>
                <t>The BFF MUST enable the <tt>HttpOnly</tt> flag for its cookies</t>
              </li>
              <li>
                <t>The BFF SHOULD enable the <tt>SameSite=Strict</tt> flag for its cookies</t>
              </li>
              <li>
                <t>The BFF SHOULD set its cookie path to <tt>/</tt></t>
              </li>
              <li>
                <t>The BFF SHOULD NOT set the <tt>Domain</tt> attribute for cookies</t>
              </li>
              <li>
                <t>The BFF SHOULD start the name of its cookies with a prefix indicating the cookie was set via HTTP, for example by using the <tt>__Host-Http-</tt> prefix defined in <xref target="I-D.ietf-httpbis-layered-cookies"/></t>
              </li>
            </ul>
            <t>Note: In new deployments, all of the above requirements are likely to be straightforward to implement. The "SHOULD" items are only not "MUSTs" so that existing architectures can be compliant. The implications of these requirements are listed below.</t>
            <t>These cookie security guidelines, combined with the use of HTTPS, help counter attacks that directly target a cookie-based session. Session hijacking is not possible, due to the <tt>Secure</tt> and <tt>HttpOnly</tt> cookie flags. The <tt>__Host-Http-</tt> prefix prevents the cookie from being shared with subdomains, thereby countering subdomain-based session hijacking or session fixation attacks. In a typical BFF deployment scenario, there is no reason to use more relaxed cookie security settings than the requirements listed above. Deviating from these settings requires proper motivation for the deployment scenario at hand.</t>
            <t>Additionally, when using client-side sessions that contain access tokens, (as opposed to server-side sessions where the tokens only live on the server), the BFF SHOULD encrypt its cookie contents. While the use of cookie encryption does not affect the security properties of the BFF pattern, it does ensure that tokens stored in cookies are never written to the user's local persistent storage in plaintext format. This security measure helps ensure the confidentiality of the tokens in case an attacker is able to read cookies from the hard drive. Such an attack can be launched through malware running on the victim's computer. Note that while encrypting the cookie contents prevents direct access to embedded tokens, it still allows the attacker to use the encrypted cookie in a session hijacking attack.</t>
            <t>For further guidance on cookie security best practices, we refer to the OWASP Cheat Sheet series (<xref target="OWASPCheatSheet"/>).</t>
          </section>
          <section anchor="pattern-bff-csrf">
            <name>Cross-Site Request Forgery Protections</name>
            <t>The interactions between the browser-based application and the BFF rely on cookies for authentication and authorization. Similar to other cookie-based interactions, the BFF is required to account for Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack could allow the attacker's request to the BFF to trigger outgoing calls to a protected resource.</t>
            <t>The BFF MUST implement a proper CSRF defense. The exact mechanism or combination of mechanisms depends on the exact domain where the BFF is deployed, as discussed below.</t>
            <section anchor="samesite-cookie-attribute">
              <name>SameSite Cookie Attribute</name>
              <t>Configuring the cookies with the <tt>SameSite=Strict</tt> attribute (See <xref target="pattern-bff-cookie-security"/>) ensures that the BFF's cookies are only included on same-site requests, and not on potentially malicious cross-site requests.</t>
              <t>This defense is adequate if the BFF is never considered to be same-site with any other applications. However, it falls short when the BFF is hosted alongside other applications within the same site, defined as the eTLD+1 (See this definition of <xref target="Site"/> for more details).</t>
              <t>For example, subdomains, such as  <tt>https://a.example.com</tt> and <tt>https://b.example.com</tt>, are considered same-site, since they share the same site <tt>example.com</tt>. They are considered cross-origin, since origins consist of the tuple <em>&lt;scheme, hostname, port&gt;</em>. As a result, a subdomain takeover attack against <tt>b.example.com</tt> can enable CSRF attacks against the BFF of <tt>a.example.com</tt>. Note that these subdomain-based attacks follow the same pattern as CSRF attacks, but with cross-origin nature instead of a cross-site nature.</t>
            </section>
            <section anchor="cors">
              <name>Cross-Origin Resource Sharing</name>
              <t>The BFF can rely on CORS as a CSRF defense mechanism. CORS is a security mechanism implemented by browsers that restricts cross-origin requests, unless the server explicitly approves such a request by setting the proper CORS headers.</t>
              <t>Browsers typically restrict cross-origin HTTP requests initiated from scripts. CORS can remove this restriction if the target server approves the request, which is checked through an initial "preflight" request. Unless the preflight response explicitly approves the request, the browser will refuse to send the full request.</t>
              <t>Because of this property, the BFF can rely on CORS as a CSRF defense. When the attacker tries to launch a cross-origin request to the BFF from the user's browser, the BFF will not approve the request in the preflight response, causing the browser to block the actual request. Note that the attacker can always launch the request from their own machine, but then the request will not carry the user's cookies, so the attack will fail.</t>
              <t>When relying on CORS as a CSRF defense, it is important to realize that certain requests are possible without a preflight. For such requests, named "CORS-safelisted Requests", the browser will simply send the request and prevent access to the response if the server did not send the proper CORS headers. This behavior is enforced for requests that can be triggered via other means than JavaScript, such as a GET request or a form-based POST request.</t>
              <t>The consequence of this behavior is that certain endpoints of the resource server could become vulnerable to CSRF, even with CORS enabled as a defense. For example, if the resource server is an API that exposes an endpoint to a body-less POST request, there will be no preflight request and no CSRF defense.</t>
              <t>To avoid such bypasses against the CORS policy, the BFF SHOULD require that the browser-based application includes a custom request header. Cross-origin requests with a custom request header always require a preflight, which makes CORS an effective CSRF defense. When this mechanism is used, the BFF MUST ensure that every incoming request carries this static header. The exact naming of this header is at the discretion of the application and BFF. A sample configuration would be a request header with a static value, such as <tt>My-Static-Header: 1</tt>.</t>
              <t>It is also possible to deploy the browser-based application on the same origin as the BFF. This ensures that legitimate interactions between the frontend and the BFF do not require any preflights, so there's no additional overhead.</t>
            </section>
            <section anchor="use-anti-forgerydouble-submit-cookies">
              <name>Use anti-forgery/double submit cookies</name>
              <t>Some technology stacks and frameworks have built-in CRSF protection using anti-forgery cookies. This mechanism relies on a session-specific secret that is stored in a cookie, which can only be read by the legitimate frontend running in the domain associated with the cookie. The frontend is expected to read the cookie and insert its value into the request, typically by adding a custom request header. The backend verifies the value in the cookie to the value provided by the frontend to identify legitimate requests. When implemented correctly for all state-changing requests, this mechanism effectively mitigates CSRF.</t>
              <t>Note that this mechanism is not necessarily recommended over the CORS approach. However, if a framework offers built-in support for this mechanism, it can serve as a low-effort alternative to protect against CSRF.</t>
            </section>
          </section>
          <section anchor="privacy-considerations-in-the-bff-architecture">
            <name>Privacy considerations in the BFF architecture</name>
            <t>The BFF pattern requires that the browser-based application forwards all requests to a resource server through a backend BFF component. As a consequence, the BFF component is able to observe all requests and responses between the application and a resource server, which can have a considerable privacy impact.</t>
            <t>When the browser-based application and BFF are built and deployed by the same party, the privacy impact is likely minimal. However, when this pattern is implemented using a BFF component that is provided or hosted by a third party, this privacy impact needs to be taken into account.</t>
          </section>
          <section anchor="operational-considerations">
            <name>Operational Considerations</name>
            <t>As the BFF is forwarding all requests to the resource server on behalf of the frontend, care should be taken to ensure the resource server is aware of this component and uses appropriate policies for rate limiting and other anti-abuse measures. For example, if the BFF is deployed as a single-instance service, and the resource server is rate limiting requests based on IP address, it might start blocking requests as many users' browsers will appear to be coming from the single IP address of the BFF.</t>
          </section>
          <section anchor="pattern-bff-proxy">
            <name>Proxy Restrictions</name>
            <t>The BFF acts as a proxy service by accepting requests from the frontend and forwarding them to the resource server. The inbound request carries a cookie, which the BFF translates into an access token on the outbound request. (Note that this makes it more like an application-layer reverse proxy than an HTTP proxy.) Apart from CSRF attacks, attackers may attempt to manipulate the BFF into forwarding requests to unintended hosts. If an attacker successfully exploits this, they could redirect the BFF to an arbitrary server, potentially exposing the user's access token.</t>
            <t>To mitigate this risk, the BFF MUST enforce strict outbound request controls by validating destination hosts before forwarding requests. This requires maintaining an explicit allowlist of approved resource servers, ensuring that requests are only proxied to predefined backends (e.g., <tt>/bff/orders/create</tt> maps exclusively to <tt>https://order-api.example.com/create</tt>). If dynamic routing based on paths (e.g., <tt>/bff/orders/{id}</tt>) is necessary, the BFF MUST apply strict validation to ensure that only authorized destinations are accessible. Additionally, restricting the allowed HTTP methods on a per-endpoint basis can further reduce attack vectors.</t>
            <t>When implementing a dynamically configurable proxy, the BFF MUST ensure that it only allows requests to explicitly permitted hosts and paths. Failure to enforce these restrictions can lead to unauthorized access and access token leakage.</t>
          </section>
          <section anchor="advanced-security">
            <name>Advanced Security</name>
            <t>In the BFF pattern, all OAuth responsibilities have been moved to the BFF, a server-side component acting as a confidential client. Since server-side applications run in a more controlled environment than browser-based applications, it becomes easier to adopt advanced OAuth security practices. Examples include key-based client authentication and sender-constrained tokens.</t>
          </section>
        </section>
        <section anchor="threat-analysis">
          <name>Threat Analysis</name>
          <t>This section revisits the attack scenarios and consequences from <xref target="threats"/>, and discusses potential additional defenses.</t>
          <section anchor="attack-scenarios-and-consequences">
            <name>Attack Scenarios and Consequences</name>
            <t>If the attacker has the ability to execute malicious code (e.g. JavaScript or WASM) in the application's execution context, the following attack scenarios become relevant:</t>
            <ul spacing="normal">
              <li>
                <t>Proxying Requests via the User's Browser (<xref target="scenario-proxy"/>)</t>
              </li>
            </ul>
            <t>Note that this attack scenario results in the following consequences:</t>
            <ul spacing="normal">
              <li>
                <t>Client Hijacking (<xref target="consequence-hijack"/>)</t>
              </li>
            </ul>
            <t>Note that client hijacking is an attack scenario that is inherent to the nature of browser-based applications. As a result, nothing will be able to prevent such attacks apart from stopping the execution of malicious code in the first place. Techniques that can help to achieve this are following secure coding guidelines, code analysis, and deploying defense-in-depth mechanisms such as Content Security Policy (<xref target="W3C.CSP3"/>).</t>
            <t>In this architecture, the BFF is a key component handling various security-specific responsibilities and proxy-based behavior. While it is out of the scope of this document to discuss a secure implementation of proxy-based applications, it is crucial to note that security vulnerabilities in the BFF can have a significant impact on the application.</t>
            <t>Finally, the BFF is uniquely placed to observe all traffic between the browser-based application and the resource servers. If a high-security application would prefer to implement anomaly detection or rate limiting, such a BFF would be the ideal place to do so. Such restrictions can further help to mitigate the consequences of client hijacking.</t>
          </section>
          <section anchor="mitigated-attack-scenarios">
            <name>Mitigated Attack Scenarios</name>
            <t>The other attack scenarios, listed below, are effectively mitigated by the BFF application architecture:</t>
            <ul spacing="normal">
              <li>
                <t>Single-Execution Token Theft (<xref target="scenario-single-theft"/>)</t>
              </li>
              <li>
                <t>Persistent Token Theft (<xref target="scenario-persistent-theft"/>)</t>
              </li>
              <li>
                <t>Acquisition and Extraction of New Tokens (<xref target="scenario-new-flow"/>)</t>
              </li>
            </ul>
            <t>The BFF counters the first two attack scenarios by not exposing any tokens to the browser-based application. Even when the attacker gains full control over the application, there are simply no tokens to be stolen.</t>
            <t>The third scenario, where the attacker obtains a fresh access token (and optionally refresh token) by running a silent flow, is mitigated by making the BFF a confidential client. Even when the attacker manages to obtain an authorization code, they are prevented from exchanging this code due to the lack of client credentials. Additionally, the use of PKCE prevents other attacks against the authorization code.</t>
            <t>Since refresh and access tokens are managed by the BFF and not exposed to the browser, the following two consequences of potential attacks become irrelevant:</t>
            <ul spacing="normal">
              <li>
                <t>Exploiting Stolen Refresh Tokens (See <xref target="consequence-rt"/>)</t>
              </li>
              <li>
                <t>Exploiting Stolen Access Tokens (See <xref target="consequence-at"/>)</t>
              </li>
            </ul>
          </section>
          <section anchor="summary">
            <name>Summary</name>
            <t>The architecture of a BFF is significantly more complicated than a browser-only application. It requires deploying and operating a server-side BFF component. Additionally, this pattern requires all interactions between the application and the resource servers to be proxied by the BFF. Depending on the deployment pattern, this proxy behavior can add a significant burden on the server-side components. See <xref target="practical-deployment-scenarios"/> for additional notes if the BFF is acting as the resource server.</t>
            <t>However, because of the nature of the BFF architecture pattern, it offers strong security guarantees. Using a BFF also ensures that the application's attack surface does not increase by using OAuth. The only viable attack pattern is hijacking the client application in the user's browser, a problem inherent to web applications.</t>
            <t>This architecture is strongly recommended for business applications, sensitive applications, and applications that handle personal data.</t>
          </section>
        </section>
      </section>
      <section anchor="pattern-tmb">
        <name>Token-Mediating Backend</name>
        <t>This section describes the architecture of a browser-based application that relies on a backend component to handle OAuth responsibilities for obtaining tokens as a confidential client (as defined in <xref section="2.1" sectionFormat="of" target="RFC6749"/>). The backend component then provides the application with the access token to directly interact with resource servers.</t>
        <t>The token-mediating backend pattern is more lightweight than the BFF pattern (See <xref target="pattern-bff"/>), since it does not require the proxying of all requests and responses between the application and the resource server. From a security perspective, the token-mediating backend is less secure than a BFF, but still offers significant advantages over an OAuth client application running directly in the browser.</t>
        <t>If an attacker is able to execute malicious code within the application, the application architecture is able to prevent the attacker from abusing refresh tokens (Single-Execution Token Theft (<xref target="scenario-single-theft"/>) and Persistent Token Theft (<xref target="scenario-persistent-theft"/>)) or obtaining a fresh set of tokens (Acquisition and Extraction of New Tokens (<xref target="scenario-new-flow"/>)). However, since the access token is directly exposed to the application, the attacker can steal the token from client-side storage (Single-Execution Token Theft (<xref target="scenario-single-theft"/>) and Persistent Token Theft (<xref target="scenario-persistent-theft"/>)), or request a fresh token from the token-mediating backend (Proxying Requests via the User's Browser (<xref target="scenario-proxy"/>)). Note that the use of HttpOnly cookies prevents the attacker from directly accessing the session state, which prevents the escalation from access token theft to session hijacking.</t>
        <section anchor="application-architecture-1">
          <name>Application Architecture</name>
          <figure anchor="fig-bbapp-pattern-tmb">
            <name>OAuth 2.0 Token-Mediating Backend Pattern</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="448" width="576" viewBox="0 0 576 448" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,368 L 8,432" fill="none" stroke="black"/>
                  <path d="M 152,368 L 152,432" fill="none" stroke="black"/>
                  <path d="M 184,32 L 184,112" fill="none" stroke="black"/>
                  <path d="M 232,368 L 232,432" fill="none" stroke="black"/>
                  <path d="M 256,144 L 256,336" fill="none" stroke="black"/>
                  <path d="M 288,208 L 288,272" fill="none" stroke="black"/>
                  <path d="M 312,32 L 312,112" fill="none" stroke="black"/>
                  <path d="M 320,304 L 320,336" fill="none" stroke="black"/>
                  <path d="M 368,32 L 368,112" fill="none" stroke="black"/>
                  <path d="M 368,304 L 368,336" fill="none" stroke="black"/>
                  <path d="M 416,144 L 416,176" fill="none" stroke="black"/>
                  <path d="M 416,304 L 416,336" fill="none" stroke="black"/>
                  <path d="M 456,32 L 456,112" fill="none" stroke="black"/>
                  <path d="M 464,304 L 464,336" fill="none" stroke="black"/>
                  <path d="M 480,32 L 480,112" fill="none" stroke="black"/>
                  <path d="M 512,208 L 512,272" fill="none" stroke="black"/>
                  <path d="M 536,144 L 536,336" fill="none" stroke="black"/>
                  <path d="M 568,32 L 568,112" fill="none" stroke="black"/>
                  <path d="M 568,368 L 568,432" fill="none" stroke="black"/>
                  <path d="M 184,32 L 312,32" fill="none" stroke="black"/>
                  <path d="M 368,32 L 456,32" fill="none" stroke="black"/>
                  <path d="M 480,32 L 568,32" fill="none" stroke="black"/>
                  <path d="M 184,112 L 312,112" fill="none" stroke="black"/>
                  <path d="M 368,112 L 456,112" fill="none" stroke="black"/>
                  <path d="M 480,112 L 568,112" fill="none" stroke="black"/>
                  <path d="M 288,208 L 512,208" fill="none" stroke="black"/>
                  <path d="M 288,272 L 512,272" fill="none" stroke="black"/>
                  <path d="M 8,368 L 152,368" fill="none" stroke="black"/>
                  <path d="M 232,368 L 568,368" fill="none" stroke="black"/>
                  <path d="M 168,400 L 216,400" fill="none" stroke="black"/>
                  <path d="M 8,432 L 152,432" fill="none" stroke="black"/>
                  <path d="M 232,432 L 568,432" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="544,336 532,330.4 532,341.6" fill="black" transform="rotate(90,536,336)"/>
                  <polygon class="arrowhead" points="544,144 532,138.4 532,149.6" fill="black" transform="rotate(270,536,144)"/>
                  <polygon class="arrowhead" points="472,336 460,330.4 460,341.6" fill="black" transform="rotate(90,464,336)"/>
                  <polygon class="arrowhead" points="424,304 412,298.4 412,309.6" fill="black" transform="rotate(270,416,304)"/>
                  <polygon class="arrowhead" points="424,176 412,170.4 412,181.6" fill="black" transform="rotate(90,416,176)"/>
                  <polygon class="arrowhead" points="424,144 412,138.4 412,149.6" fill="black" transform="rotate(270,416,144)"/>
                  <polygon class="arrowhead" points="376,336 364,330.4 364,341.6" fill="black" transform="rotate(90,368,336)"/>
                  <polygon class="arrowhead" points="376,304 364,298.4 364,309.6" fill="black" transform="rotate(270,368,304)"/>
                  <polygon class="arrowhead" points="328,336 316,330.4 316,341.6" fill="black" transform="rotate(90,320,336)"/>
                  <polygon class="arrowhead" points="328,304 316,298.4 316,309.6" fill="black" transform="rotate(270,320,304)"/>
                  <polygon class="arrowhead" points="264,336 252,330.4 252,341.6" fill="black" transform="rotate(90,256,336)"/>
                  <polygon class="arrowhead" points="264,144 252,138.4 252,149.6" fill="black" transform="rotate(270,256,144)"/>
                  <polygon class="arrowhead" points="224,400 212,394.4 212,405.6" fill="black" transform="rotate(0,216,400)"/>
                  <g class="text">
                    <text x="248" y="68">Authorization</text>
                    <text x="408" y="68">Token</text>
                    <text x="524" y="68">Resource</text>
                    <text x="244" y="84">Endpoint</text>
                    <text x="412" y="84">Endpoint</text>
                    <text x="524" y="84">Server</text>
                    <text x="400" y="164">(F)</text>
                    <text x="368" y="244">Token-Mediating</text>
                    <text x="464" y="244">Backend</text>
                    <text x="552" y="244">(J)</text>
                    <text x="240" y="260">(D)</text>
                    <text x="296" y="324">(B,I)</text>
                    <text x="352" y="324">(C)</text>
                    <text x="400" y="324">(E)</text>
                    <text x="448" y="324">(G)</text>
                    <text x="192" y="388">(A,H)</text>
                    <text x="44" y="404">Static</text>
                    <text x="88" y="404">Web</text>
                    <text x="124" y="404">Host</text>
                    <text x="400" y="404">Browser</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
                      +---------------+      +----------+  +----------+
                      |               |      |          |  |          |
                      | Authorization |      |  Token   |  | Resource |
                      |   Endpoint    |      | Endpoint |  |  Server  |
                      |               |      |          |  |          |
                      +---------------+      +----------+  +----------+

                               ^                   ^              ^
                               |                (F)|              |
                               |                   v              |
                               |                                  |
                               |   +---------------------------+  |
                               |   |                           |  |
                               |   |  Token-Mediating Backend  |  |(J)
                            (D)|   |                           |  |
                               |   +---------------------------+  |
                               |                                  |
                               |       ^     ^     ^     +        |
                               |  (B,I)|  (C)|  (E)|  (G)|        |
                               v       v     v     +     v        v

+-----------------+         +-----------------------------------------+
|                 |  (A,H)  |                                         |
| Static Web Host | +-----> |                 Browser                 |
|                 |         |                                         |
+-----------------+         +-----------------------------------------+
]]></artwork>
            </artset>
          </figure>
          <t>In this architecture, the browser-based code (e.g. JavaScript or WASM) is first loaded from a static web host into the browser (A), and the application then runs in the browser. The application checks with the token-mediating backend if there is an active session (B). If an active session is found, the application receives the corresponding access token, resumes its authenticated state, and skips forward to step J.</t>
          <t>When no active session is found, the application triggers a navigation to the token-mediating backend (C) to initiate the Authorization Code flow with the PKCE extension (described in <xref target="pattern-tmb-flow"/>), to which the token-mediating backend responds by redirecting the browser to the authorization endpoint (D). When the user is redirected back, the browser delivers the authorization code to the token-mediating backend (E), where the token-mediating backend can then exchange it for tokens at the token endpoint (F) using its client credentials and PKCE code verifier.</t>
          <t>The token-mediating backend associates the obtained tokens with the user's session (See <xref target="pattern-tmb-sessions"/>) and sets a cookie in the response to keep track of this session (G). This response to the browser will also trigger the reloading of the application (H). When this application reloads, it will check with the token-mediating backend for an existing session (I), allowing the application to resume its authenticated state and obtain the access token from the token-mediating backend.</t>
          <t>The application in the browser can use the access token obtained in step I to directly make requests to the resource server (J).</t>
        </section>
        <section anchor="implementation-details-1">
          <name>Implementation Details</name>
          <section anchor="session-and-oauth-endpoints">
            <name>Session and OAuth Endpoints</name>
            <t>Most of the endpoint implementations of the token-mediating backend are similar to those described for a BFF.</t>
            <ul spacing="normal">
              <li>
                <t>The "check session" endpoint (Steps B and I in the diagram above) is an API endpoint called by the browser-based application. The request will carry session information when available, allowing the backend to check for an active session. The response should indicate to the browser-based application whether the session is active. If an active session is found, the backend includes the access token in the response. Additionally, the backend can include other information, such as identity information about the authenticated user.</t>
              </li>
              <li>
                <t>The endpoint that initiates the Authorization Code flow (step C) is identical to the endpoint described for the BFF architecture. See section <xref target="bff_endpoints"/> for more details.</t>
              </li>
              <li>
                <t>The endpoint that receives the authorization code (step E) is identical to the endpoint described for the BFF architecture. See section <xref target="bff_endpoints"/> for more details.</t>
              </li>
              <li>
                <t>The endpoint that supports logout is identical to the endpoint described for the BFF architecture. See section <xref target="bff_endpoints"/> for more details.</t>
              </li>
            </ul>
          </section>
          <section anchor="refresh-tokens-1">
            <name>Refresh Tokens</name>
            <t>When using refresh tokens, as described in <xref section="4.14" sectionFormat="of" target="RFC9700"/>, the token-mediating backend obtains the refresh token in step F and associates it with the user's session.</t>
            <t>If the resource server rejects the access token, the application can contact the token-mediating backend to request a new access token. The token-mediating backend relies on the cookies associated with this request to look up the user's refresh token, and makes a token request using the refresh token. These steps are not shown in the diagram. Note that this Refresh Token request is from the backend, a confidential client, and thus requires client authentication.</t>
            <t>When the refresh token expires, there is no way to obtain a valid access token without starting an entirely new Authorization Code grant. Therefore, it makes sense to configure the lifetime of the cookie-based session to be equal to the maximum lifetime of the refresh token if such information is known upfront. Additionally, when the token-mediating backend learns that a refresh token for an active session is no longer valid, it makes sense to invalidate the session.</t>
          </section>
          <section anchor="access-token-scopes">
            <name>Access Token Scopes</name>
            <t>Depending on the resource servers being accessed and the configuration of scopes at the authorization server, the application may wish to request access tokens with different scope configurations. This behavior would allow the application to follow the best practice of using minimally-scoped access tokens.</t>
            <t>The application can inform the token-mediating backend of the desired scopes when it checks for the active session (Step A/I). It is up to the token-mediating backend to decide if previously obtained access tokens fall within the desired scope criteria.</t>
            <t>It should be noted that this access token caching mechanism at the token-mediating backend can cause scope elevation risks when applied indiscriminately. If the cached access token features a superset of the scopes requested by the frontend, the token-mediating backend SHOULD NOT return it to the frontend; instead, it SHOULD use the refresh token to request an access token with the smaller set of scopes from the authorization server. Note that support of such an access token downscoping mechanism is at the discretion of the authorization server.</t>
            <t>The token-mediating backend can use a similar mechanism to downscoping when relying on <xref target="RFC8707"/> to obtain access token for a specific resource server.</t>
          </section>
          <section anchor="pattern-tmb-sessions">
            <name>Cookie-based Session State</name>
            <t>Similar to the BFF, the token-mediating backend relies on browser cookies to keep track of the user's session. The same implementation guidelines and security considerations as for a BFF apply, as discussed in <xref target="pattern-bff-sessions"/>.</t>
          </section>
          <section anchor="combining-oauth-and-openid-connect">
            <name>Combining OAuth and OpenID Connect</name>
            <t>Similar to a BFF, the token-mediating backend can choose to combine OAuth and OpenID Connect in a single flow. See <xref target="pattern-bff-oidc"/> for more details.</t>
          </section>
          <section anchor="practical-deployment-scenarios">
            <name>Practical Deployment Scenarios</name>
            <t>Serving the static JavaScript or WASM code is a separate responsibility from handling interactions with the authorization server. In the diagram presented above, the token-mediating backend and static web host are shown as two separate entities. In real-world deployment scenarios, these components can be deployed as a single service (i.e., the token-mediating backend serving the static code), as two separate services (i.e., a CDN and a token-mediating backend), or as two components in a single service (i.e., static hosting and serverless functions on a cloud platform). These deployment differences do not affect the relationships described in this pattern, but may impact other practicalities, such as the need to properly configure CORS to enable cross-origin communication.</t>
          </section>
        </section>
        <section anchor="security-considerations-1">
          <name>Security Considerations</name>
          <section anchor="pattern-tmb-flow">
            <name>The Authorization Code Grant</name>
            <t>The main benefit of using a token-mediating backend is the backend's ability to act as a confidential client. Therefore, the token-mediating backend MUST act as a confidential client. Furthermore, the token-mediating backend MUST use the OAuth 2.0 Authorization Code grant as described in <xref section="2.1.1" sectionFormat="of" target="RFC9700"/> to initiate a request for an access token.</t>
          </section>
          <section anchor="pattern-bmf-cookie-security">
            <name>Cookie Security</name>
            <t>The token-mediating backend uses cookies to create a user session, which is directly associated with the user's tokens, either through server-side or client-side session state. The same cookie security guidelines as for a BFF apply, as discussed in <xref target="pattern-bff-cookie-security"/>.</t>
          </section>
          <section anchor="pattern-bmf-csrf">
            <name>Cross-Site Request Forgery Protections</name>
            <t>The interactions between the browser-based application and the token-mediating backend rely on cookies for authentication and authorization. Just like a BFF, the token-mediating backend is required to account for Cross-Site Request Forgery (CSRF) attacks.</t>
            <t><xref target="pattern-bff-csrf"/> outlines the nuances of various mitigation strategies against CSRF attacks. Specifically for a token-mediating backend, these CSRF defenses only apply to the endpoint or endpoints where the application can obtain its access tokens.</t>
          </section>
          <section anchor="advanced-oauth-security">
            <name>Advanced OAuth Security</name>
            <t>The token-mediating backend is a confidential client running as a server-side component. The token-mediating backend can adopt security best practices for confidential clients, such as key-based client authentication.</t>
          </section>
        </section>
        <section anchor="threat-analysis-1">
          <name>Threat Analysis</name>
          <t>This section revisits the attack scenarios and consequences from <xref target="threats"/>, and discusses potential additional defenses.</t>
          <section anchor="attack-scenarios-and-consequences-1">
            <name>Attack Scenarios and Consequences</name>
            <t>If the attacker has the ability to execute malicious code in the application's execution context, the following attack scenarios become relevant:</t>
            <ul spacing="normal">
              <li>
                <t>Single-Execution Token Theft (<xref target="scenario-single-theft"/>) for access tokens</t>
              </li>
              <li>
                <t>Persistent Token Theft (<xref target="scenario-persistent-theft"/>) for access tokens</t>
              </li>
              <li>
                <t>Proxying Requests via the User's Browser (<xref target="scenario-proxy"/>)</t>
              </li>
            </ul>
            <t>Note that these attack scenarios result in the following consequences:</t>
            <ul spacing="normal">
              <li>
                <t>Exploiting Stolen Access Tokens (<xref target="consequence-at"/>)</t>
              </li>
              <li>
                <t>Client Hijacking (<xref target="consequence-hijack"/>)</t>
              </li>
            </ul>
            <t>Exposing the access token to the browser-based application is the core idea behind the architecture pattern of the token-mediating backend. As a result, the access token becomes vulnerable to token theft by malicious browser-based code.</t>
          </section>
          <section anchor="mitigated-attack-scenarios-1">
            <name>Mitigated Attack Scenarios</name>
            <t>The other attack scenarios, listed below, are effectively mitigated by the token-mediating backend:</t>
            <ul spacing="normal">
              <li>
                <t>Single-Execution Token Theft (<xref target="scenario-single-theft"/>) for refresh tokens</t>
              </li>
              <li>
                <t>Persistent Token Theft (<xref target="scenario-persistent-theft"/>) for refresh tokens</t>
              </li>
              <li>
                <t>Acquisition and Extraction of New Tokens (<xref target="scenario-new-flow"/>)</t>
              </li>
            </ul>
            <t>The token-mediating backend counters the first two attack scenarios by not exposing the refresh token to the browser-based application. Even when the attacker gains full control over the application, there are simply no refresh tokens to be stolen.</t>
            <t>The third scenario, where the attacker obtains a fresh access token (and optionally refresh token) by running a silent flow, is mitigated by making the token-mediating backend a confidential client. Even when the attacker manages to obtain an authorization code, they are prevented from exchanging this code due to the lack of client credentials.  Additionally, the use of PKCE prevents other attacks against the authorization code.</t>
            <t>Because of the nature of the token-mediating backend, the following consequences of potential attacks become irrelevant:</t>
            <ul spacing="normal">
              <li>
                <t>Exploiting Stolen Refresh Tokens (See <xref target="consequence-rt"/>)</t>
              </li>
            </ul>
          </section>
          <section anchor="additional-defenses">
            <name>Additional Defenses</name>
            <t>While this architecture inherently exposes access tokens, there are some additional defenses that can help to increase the security posture of the application.</t>
            <section anchor="secure-token-storage">
              <name>Secure Token Storage</name>
              <t>Given the nature of the token-mediating backend pattern, there is no need for persistent token storage in the browser. When needed, the application can always use its cookie-based session to obtain an access token from the token-mediating backend. <xref target="token-storage"/> provides more details on the security properties of various storage mechanisms in the browser.</t>
              <t>Be aware that even when the access token is stored out of reach of malicious browser-based code, the malicious code can still mimic the legitimate application and send a request to the token-mediation backend to obtain the latest access token.</t>
            </section>
            <section anchor="using-sender-constrained-tokens">
              <name>Using Sender-Constrained Tokens</name>
              <t>Using sender-constrained access tokens is not trivial in this architecture. The token-mediating backend is responsible for exchanging an authorization code or refresh token for an access token, but the application will use the access token. Using a mechanism such as DPoP <xref target="RFC9449"/> would require splitting responsibilities over two parties, which is not a scenario defined by the specification. Use of DPoP in such a scenario is out of the scope of this document.</t>
            </section>
          </section>
          <section anchor="summary-1">
            <name>Summary</name>
            <t>The architecture of a token-mediating backend is more complicated than a browser-only application, but less complicated than running a proxying BFF. Similar to complexity, the security properties offered by the token-mediating backend lie somewhere between using a BFF and running a browser-only application.</t>
            <t>A token-mediating backend addresses typical scenarios that grant the attacker long-term access on behalf of the user. However, due to the consequence of access token theft, the attacker still has the ability to gain direct access to resource servers.</t>
            <t>When considering a token-mediating backend architecture, it is strongly recommended to evaluate if adopting a full BFF as discussed in <xref target="pattern-bff"/> is a viable alternative. Only when the use cases or system requirements would prevent the use of a proxying BFF should the token-mediating backend be considered over a full BFF.</t>
          </section>
        </section>
      </section>
      <section anchor="pattern-oauth-browser">
        <name>Browser-based OAuth 2.0 client</name>
        <t>This section describes the architecture of a browser-based application that acts as the OAuth client, handling all OAuth responsibilities in the browser. As a result, the browser-based application obtains tokens from the authorization server, without the involvement of a backend component.</t>
        <t>If an attacker is able to execute malicious code in the browser, this application architecture is vulnerable to all attack scenarios discussed earlier (<xref target="attackscenarios"/>). In essence, the attacker will be able to obtain access tokens and refresh tokens from the authorization server, potentially giving them long-term access to protected resources on behalf of the user.</t>
        <section anchor="application-architecture-2">
          <name>Application Architecture</name>
          <figure anchor="fig-bbapp-pattern-standalone">
            <name>Browser-based OAuth 2.0 Client Pattern</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="336" width="520" viewBox="0 0 520 336" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,256 L 8,320" fill="none" stroke="black"/>
                  <path d="M 152,256 L 152,320" fill="none" stroke="black"/>
                  <path d="M 184,32 L 184,112" fill="none" stroke="black"/>
                  <path d="M 232,256 L 232,320" fill="none" stroke="black"/>
                  <path d="M 240,144 L 240,224" fill="none" stroke="black"/>
                  <path d="M 288,144 L 288,224" fill="none" stroke="black"/>
                  <path d="M 312,32 L 312,112" fill="none" stroke="black"/>
                  <path d="M 392,32 L 392,112" fill="none" stroke="black"/>
                  <path d="M 432,144 L 432,224" fill="none" stroke="black"/>
                  <path d="M 480,144 L 480,224" fill="none" stroke="black"/>
                  <path d="M 488,256 L 488,320" fill="none" stroke="black"/>
                  <path d="M 512,32 L 512,112" fill="none" stroke="black"/>
                  <path d="M 184,32 L 312,32" fill="none" stroke="black"/>
                  <path d="M 392,32 L 512,32" fill="none" stroke="black"/>
                  <path d="M 184,112 L 312,112" fill="none" stroke="black"/>
                  <path d="M 392,112 L 512,112" fill="none" stroke="black"/>
                  <path d="M 8,256 L 152,256" fill="none" stroke="black"/>
                  <path d="M 232,256 L 488,256" fill="none" stroke="black"/>
                  <path d="M 168,288 L 216,288" fill="none" stroke="black"/>
                  <path d="M 8,320 L 152,320" fill="none" stroke="black"/>
                  <path d="M 232,320 L 488,320" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="488,224 476,218.4 476,229.6" fill="black" transform="rotate(90,480,224)"/>
                  <polygon class="arrowhead" points="440,144 428,138.4 428,149.6" fill="black" transform="rotate(270,432,144)"/>
                  <polygon class="arrowhead" points="296,224 284,218.4 284,229.6" fill="black" transform="rotate(90,288,224)"/>
                  <polygon class="arrowhead" points="296,144 284,138.4 284,149.6" fill="black" transform="rotate(270,288,144)"/>
                  <polygon class="arrowhead" points="248,144 236,138.4 236,149.6" fill="black" transform="rotate(270,240,144)"/>
                  <polygon class="arrowhead" points="224,288 212,282.4 212,293.6" fill="black" transform="rotate(0,216,288)"/>
                  <g class="text">
                    <text x="248" y="68">Authorization</text>
                    <text x="452" y="68">Resource</text>
                    <text x="244" y="84">Server</text>
                    <text x="452" y="84">Server</text>
                    <text x="256" y="180">(B)</text>
                    <text x="304" y="180">(C)</text>
                    <text x="448" y="180">(D)</text>
                    <text x="496" y="180">(E)</text>
                    <text x="192" y="276">(A)</text>
                    <text x="44" y="292">Static</text>
                    <text x="88" y="292">Web</text>
                    <text x="124" y="292">Host</text>
                    <text x="352" y="292">Browser</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
                      +---------------+         +--------------+
                      |               |         |              |
                      | Authorization |         |   Resource   |
                      |    Server     |         |    Server    |
                      |               |         |              |
                      +---------------+         +--------------+

                             ^     ^                 ^     +
                             |     |                 |     |
                             |(B)  |(C)              |(D)  |(E)
                             |     |                 |     |
                             |     |                 |     |
                             +     v                 +     v

+-----------------+         +-------------------------------+
|                 |   (A)   |                               |
| Static Web Host | +-----> |           Browser             |
|                 |         |                               |
+-----------------+         +-------------------------------+
]]></artwork>
            </artset>
          </figure>
          <t>In this architecture, the code is first loaded from a static web host into
the browser (A), and the application then runs in the browser. In this scenario, the browser-based application is considered a public
client, which does not possess client credentials to authenticate to the authorization server.</t>
          <t>The application obtains an authorization code (B) by initiating the Authorization Code flow with the PKCE
extension (described in <xref target="pattern-oauth-browser-flow"/>). The application uses a browser API (e.g. <xref target="Fetch"/>) to make a POST request to the token endpoint (C) to exchange the authorization code for tokens.</t>
          <t>The application is then responsible for storing
the access token and optional refresh token as securely as possible using appropriate browser APIs, described in <xref target="token-storage"/>.</t>
          <t>When the application in the browser wants to make a request to the resource server,
it can interact with the resource server directly. The application includes the access token in the request (D)
and receives the resource server's response (E).</t>
        </section>
        <section anchor="implementation-details-2">
          <name>Implementation Details</name>
          <t>Browser-based applications that are public clients (<xref section="2.1" sectionFormat="of" target="RFC6749"/>) and use the Authorization Code grant type described in
<xref section="4.1" sectionFormat="of" target="RFC6749"/> MUST also follow these additional requirements
described in this section.</t>
          <section anchor="pattern-oauth-browser-flow">
            <name>The Authorization Code Grant</name>
            <t>Browser-based applications that are public clients MUST implement the Proof Key for Code Exchange
(PKCE <xref target="RFC7636"/>) extension when obtaining an access token, and authorization servers MUST support and enforce
PKCE for such clients.</t>
            <t>The PKCE extension prevents an attack where the authorization code is intercepted
and exchanged for an access token by a malicious client, by providing the
authorization server with a way to verify the client instance that exchanges
the authorization code is the same one that initiated the flow.</t>
          </section>
          <section anchor="pattern-oauth-browser-csrf">
            <name>Cross-Site Request Forgery Protections</name>
            <t>Browser-based applications MUST prevent CSRF attacks against their redirect URI. This can be
accomplished by any of the below:</t>
            <ul spacing="normal">
              <li>
                <t>configuring the authorization server to require PKCE for this client</t>
              </li>
              <li>
                <t>using and verifying unique value for the OAuth <tt>state</tt> parameter to carry a CSRF token</t>
              </li>
              <li>
                <t>if the application is also using OpenID Connect, by using and verifying the OpenID Connect <tt>nonce</tt> parameter as described in <xref target="OpenID"/></t>
              </li>
            </ul>
            <t>See <xref section="2.1" sectionFormat="of" target="RFC9700"/> for additional details on selecting a proper CSRF defense for the Authorization Code flow.</t>
          </section>
          <section anchor="pattern-oauth-browser-rt">
            <name>Refresh Tokens</name>
            <t>For browser-based clients, the refresh token is typically a bearer token, unless the application explicitly uses DPoP <xref target="RFC9449"/>. As a result, the risk of a leaked refresh token
is greater than leaked access tokens, since an attacker may be able to
continue using the stolen refresh token to obtain new access tokens potentially without being
detectable by the authorization server.</t>
            <t>Authorization servers may choose whether or not to issue refresh tokens to browser-based
applications. However, in light of the impact of third-party cookie-blocking mechanisms, the use of refresh tokens has become significantly more attractive. <xref target="RFC9700"/> describes some additional requirements around refresh tokens
on top of the recommendations of <xref target="RFC6749"/>. Applications and authorization servers
conforming to this BCP MUST also follow the recommendations in <xref target="RFC9700"/>
around refresh tokens if refresh tokens are issued to browser-based applications.</t>
            <t>In particular, authorization servers:</t>
            <ul spacing="normal">
              <li>
                <t>MUST either rotate refresh tokens on each use OR use sender-constrained refresh tokens as described in <xref section="4.14.2" sectionFormat="of" target="RFC9700"/></t>
              </li>
              <li>
                <t>MUST either set a maximum lifetime on refresh tokens OR expire if the refresh token has not been used within some amount of time</t>
              </li>
              <li>
                <t>upon issuing a rotated refresh token, MUST NOT extend the lifetime of the new refresh token beyond the lifetime of the initial refresh token if the refresh token has a preestablished expiration time</t>
              </li>
            </ul>
            <t>Limiting the overall refresh token lifetime to the lifetime of the initial refresh token ensures a stolen refresh token cannot be used indefinitely.</t>
            <t>For example:</t>
            <ul spacing="normal">
              <li>
                <t>A user authorizes an application, issuing an access token that lasts 10 minutes, and a refresh token that lasts 8 hours</t>
              </li>
              <li>
                <t>After 10 minutes, the initial access token expires, so the application uses the refresh token to get a new access token</t>
              </li>
              <li>
                <t>The authorization server returns a new access token that lasts 10 minutes, and a new refresh token that lasts 7 hours and 50 minutes</t>
              </li>
              <li>
                <t>This continues until 8 hours pass from the initial authorization</t>
              </li>
              <li>
                <t>At this point, when the application attempts to use the refresh token after 8 hours, the request will fail and the application will have to re-initiate an Authorization Code flow that relies on the user's authentication or previously established session</t>
              </li>
            </ul>
            <t>Authorization servers SHOULD link the lifetime of the refresh token to the user's authenticated session with the authorization server. Doing so ensures that when a user logs out, previously issued refresh tokens to browser-based applications become invalid, mimicking a single-logout scenario. Authorization servers MAY set different policies around refresh token issuance, lifetime and expiration for browser-based applications compared to other public clients.</t>
          </section>
        </section>
        <section anchor="security-considerations-2">
          <name>Security Considerations</name>
          <section anchor="client_authentication">
            <name>Client Authentication</name>
            <t>Since a browser-based application's source code is delivered to the end-user's
browser, it is unfit to contain provisioned secrets. As a consequence, browser-based applications are typically deployed as public clients as defined by <xref section="2.1" sectionFormat="of" target="RFC6749"/>.</t>
            <t>Secrets that are statically included as part of an app distributed to
multiple users should not be treated as confidential secrets, as one
user may inspect their copy and learn the shared secret.  For this
reason, and those stated in <xref section="5.3.1" sectionFormat="of" target="RFC6819"/>, authorization
servers MUST NOT require client authentication of browser-based
applications using a shared secret, as this serves no value beyond
client identification which is already provided by the <tt>client_id</tt> parameter.</t>
            <t>Authorization servers that still require a statically included shared
secret for SPA clients MUST treat the client as a public
client, and not accept the secret as proof of the client's identity. Without
additional measures, such clients are subject to client impersonation
(see <xref target="client_impersonation"/> below).</t>
          </section>
          <section anchor="client_impersonation">
            <name>Client Impersonation</name>
            <t>As stated in <xref section="10.2" sectionFormat="of" target="RFC6749"/>, the authorization
server SHOULD NOT process authorization requests automatically
without user consent or interaction, except when the authorization
server can assure the identity of the client application.</t>
            <t>If authorization servers restrict redirect URIs to a fixed set of absolute
HTTPS URIs, preventing the use of wildcard domains, wildcard paths, or wildcard query string components,
this exact match of registered absolute HTTPS URIs MAY be accepted by authorization servers as
proof of identity of the client for the purpose of deciding whether to automatically
process an authorization request when a previous request for the <tt>client_id</tt>
has already been approved.</t>
            <section anchor="auth_code_redirect">
              <name>Authorization Code Redirect</name>
              <t>Clients MUST register one or more redirect URIs with the authorization server, and use only exact registered redirect URIs in the authorization request.</t>
              <t>Authorization servers MUST require an exact match of a registered redirect URI
as described in <xref section="4.1.1" sectionFormat="of" target="RFC9700"/>. This helps to prevent attacks targeting the authorization code.</t>
            </section>
          </section>
          <section anchor="in_browser_communication_security">
            <name>Security of In-Browser Communication Flows</name>
            <t>In browser-based applications, it is common to execute the OAuth flow in a secondary window, such as a popup or iframe, instead of redirecting the primary window.
In these flows, the browser-based app holds control of the primary window, for instance, to avoid page refreshes or to run frame-based flows silently.</t>
            <t>If the browser-based app and the authorization server are invoked in different frames, they have to use in-browser communication techniques like the postMessage API (a.k.a. <xref target="WebMessaging"/>) instead of top-level redirections.
To guarantee confidentiality and authenticity of messages, both the initiator origin and receiver origin of a postMessage MUST be verified using the mechanisms inherently provided by the postMessage API (Section 9.3.2 in <xref target="WebMessaging"/>).</t>
            <t><xref section="4.18" sectionFormat="of" target="RFC9700"/> provides additional details about the security of in-browser communication flows and the countermeasures that browser-based applications and authorization servers MUST apply to defend against these attacks.</t>
          </section>
          <section anchor="pattern-oauth-browser-cors">
            <name>Cross-Origin Requests</name>
            <t>In this scenario, the application uses a browser API to send requests to the authorization server and the resource server. Given the nature of OAuth 2.0, these requests are typically cross-origin, subjecting them to browser-enforced restrictions on cross-origin communication. The authorization server and the resource server MUST send necessary CORS headers (defined in <xref target="Fetch"/>) to enable the application to make the necessary cross-origin requests. Note that in the extraordinary scenario where the browser-based OAuth client runs in the same origin as the authorization server or resource server, a CORS policy is not needed to enable the necessary interaction.</t>
            <t>For the authorization server, the CORS configuration is relevant for the token endpoint, where the browser-based application exchanges the authorization code for tokens. Additionally, if the authorization server provides additional endpoints to the application, such as discovery metadata URLs, JSON Web Key Sets, dynamic client registration, revocation, introspection or user info endpoints, these endpoints may also be accessed by the browser-based application. Consequentially, the authorization server is responsible for supporting CORS on these endpoints.</t>
            <t>This specification does not include guidelines for deciding the concrete CORS policy implementation, which can consist of a wildcard origin or a more restrictive configuration. Note that CORS has two modes of operation with different security properties. The first mode applies to CORS-safelisted requests, formerly known as simple requests, where the browser sends the request and uses the CORS response headers to decide if the response can be exposed to the client-side execution context. For non-CORS-safelisted requests, such as a request with a custom request header, the browser will first check the CORS policy using a preflight. The browser will only send the actual request when the server sends its approval in the preflight response.</t>
            <t>Note that due to the authorization server's specific configuration, it is possible that the CORS response to a preflight is different from the CORS response to the actual request. During the preflight, the authorization server can only verify the provided origin, but during an actual request, the authorization server has the full request data, such as the client ID. Consequentially, the authorization server can approve a known origin during the preflight, but reject the actual request after comparing the origin to this specific client's list of pre-registered origins.</t>
          </section>
        </section>
        <section anchor="threat-analysis-2">
          <name>Threat Analysis</name>
          <t>This section revisits the attack scenarios and consequences from <xref target="threats"/>, and discusses potential additional defenses.</t>
          <section anchor="attack-scenarios-and-consequences-2">
            <name>Attack Scenarios and Consequences</name>
            <t>If the attacker has the ability to execute malicious code in the application's execution context, the following attack scenarios become relevant:</t>
            <ul spacing="normal">
              <li>
                <t>Single-Execution Token Theft (<xref target="scenario-single-theft"/>)</t>
              </li>
              <li>
                <t>Persistent Token Theft (<xref target="scenario-persistent-theft"/>)</t>
              </li>
              <li>
                <t>Acquisition and Extraction of New Tokens (<xref target="scenario-new-flow"/>)</t>
              </li>
              <li>
                <t>Proxying Requests via the User's Browser (<xref target="scenario-proxy"/>)</t>
              </li>
            </ul>
            <t>The most dangerous attack scenario is the acquisition and extraction of new tokens. In this attack scenario, the attacker only interacts with the authorization server, which makes the actual implementation details of the OAuth functionality in the client irrelevant. Even if the legitimate client application finds a way to completely isolate the tokens from the attacker, the attacker will still be able to obtain tokens from the authorization server.</t>
            <t>Note that these attack scenarios result in the following consequences:</t>
            <ul spacing="normal">
              <li>
                <t>Exploiting Stolen Refresh Tokens (See <xref target="consequence-rt"/>)</t>
              </li>
              <li>
                <t>Exploiting Stolen Access Tokens (See <xref target="consequence-at"/>)</t>
              </li>
              <li>
                <t>Client Hijacking (See <xref target="consequence-hijack"/>)</t>
              </li>
            </ul>
          </section>
          <section anchor="additional-defenses-1">
            <name>Additional Defenses</name>
            <t>While this architecture is inherently vulnerable to malicious browser-based code, there are some additional defenses that can help to increase the security posture of the application. Note that none of these defenses address or fix the underlying problem that allows the attacker to run a new flow to obtain tokens.</t>
            <section anchor="secure-token-storage-1">
              <name>Secure Token Storage</name>
              <t>When handling tokens directly, the application can choose different storage mechanisms to store access tokens and refresh tokens. Universally accessible storage areas, such as <em>Local Storage</em> <xref target="WebStorage"/>, are easier to access from malicious JavaScript than more isolated storage areas, such as a <em>Web Worker</em> <xref target="WebWorker"/>. <xref target="token-storage"/> discusses different storage mechanisms with their trade-off in more detail.</t>
              <t>A practical implementation pattern can use a Web Worker <xref target="WebWorker"/> to isolate the refresh token, and provide the application with the access token making requests to resource servers. This prevents an attacker from using the application's refresh token to obtain new tokens.</t>
              <t>However, even a token storage mechanism that completely isolates the tokens from the attacker does not prevent the attacker from running a new flow to obtain a fresh set of tokens (See <xref target="scenario-new-flow"/>).</t>
            </section>
            <section anchor="using-sender-constrained-tokens-1">
              <name>Using Sender-Constrained Tokens</name>
              <t>Browser-based OAuth clients can implement DPoP <xref target="RFC9449"/> to transition from bearer access tokens and bearer refresh tokens to sender-constrained tokens. In such an implementation, the private key used to sign DPoP proofs is handled by the browser (a non-extractable <xref target="CryptoKeyPair"/> is stored using <xref target="W3C.IndexedDB"/>). As a result, the use of DPoP effectively prevents scenarios where the XSS attacker exfiltrates the application's tokens (See <xref target="scenario-single-theft"/> and <xref target="scenario-persistent-theft"/>).</t>
              <t>Note that the use of DPoP does not prevent the attacker from running a new flow to obtain a fresh access token (and optionally refresh token) <xref target="scenario-new-flow"/>. Even when DPoP is mandatory, the attacker can bind the fresh set of tokens to a key pair under their control, allowing them to exfiltrate the sender-constrained tokens and use them by relying on the attacker-controlled key to calculate the necessary DPoP proofs.</t>
            </section>
            <section anchor="restricting-access-to-the-authorization-server">
              <name>Restricting Access to the Authorization Server</name>
              <t>The scenario where the attacker obtains a fresh access token and (optionally refresh token) <xref target="scenario-new-flow"/> relies on the ability to directly interact with the authorization server from within the browser. In theory, a defense that prevents the attacker from silently interacting with the authorization server could solve the most dangerous attack scenario. However, in practice, such defenses are ineffective or impractical.</t>
              <t>For completeness, this BCP lists a few options below. Note that none of these defenses is recommended, as they do not offer practically usable security benefits.</t>
              <t>The authorization server could block authorization requests that originate from within an iframe. While this would prevent the exact scenario from <xref target="scenario-new-flow"/>, it would not work for slight variations of the attack scenario. For example, the attacker can launch the silent flow in a popup window, or a pop-under window. Additionally, browser-only OAuth clients typically rely on a hidden iframe-based flow to bootstrap the user's authentication state, so this approach would significantly impact the user experience.</t>
              <t>The authorization server could opt to make user consent mandatory in every Authorization Code flow (as described in <xref section="10.2" sectionFormat="of" target="RFC6749"/>), thus requiring user interaction before issuing an authorization code. This approach would make it harder for an attacker to run a silent flow to obtain a fresh set of tokens. However, it also significantly impacts the user experience by continuously requiring consent. As a result, this approach would result in "consent fatigue", which makes it likely that the user will blindly approve the consent, even when it is associated with a flow that was initiated by the attacker.</t>
            </section>
          </section>
          <section anchor="summary-2">
            <name>Summary</name>
            <t>To summarize, the architecture of a browser-based OAuth client application is straightforward, but results in a significant increase in the attack surface of the application. The attacker is not only able to hijack the client, but also to extract a full-featured set of tokens from the browser-based application.</t>
            <t>This architecture is not recommended for business applications, sensitive applications, and applications that handle personal data.</t>
          </section>
        </section>
      </section>
    </section>
    <section anchor="discouraged-and-deprecated-architecture-patterns">
      <name>Discouraged and Deprecated Architecture Patterns</name>
      <t>Client applications and backend applications have evolved significantly over the last two decades, along with threats, attacker models, and a general understanding of modern application security. As a result, previous recommendations generally accepted in the industry as well as published by the OAuth Working Group are often no longer recommended, and proposed solutions often fall short of meeting the expected security requirements.</t>
      <t>This section discusses a few alternative architecture patterns, which are not recommended for use in modern browser-based OAuth applications. This section discusses each of the patterns, along with a threat analysis that investigates the attack scenarios and consequences when relevant.</t>
      <section anchor="single-domain-apps">
        <name>Single-Domain Browser-Based Applications (not using OAuth)</name>
        <t>Too often, simple applications are made needlessly complex by using OAuth to replace the concept of session management. A typical example is the modern incarnation of a server-side MVC application, which now consists of a browser-based frontend backed by a server-side API.</t>
        <t>In such an application, the use of OpenID connect to offload user authentication to a dedicated provider can significantly simplify the application's architecture and development. However, the use of OAuth for governing access between the frontend and the backend is often not needed. Instead of using access tokens, the application can rely on traditional cookie-based session state to keep track of the user's authentication status. The security guidelines to protect the session cookie are discussed in <xref target="pattern-bff-cookie-security"/>.</t>
        <t>While the advice to not use OAuth seems out-of-place in this document, it is important to note that OAuth was originally created for third-party or federated access to APIs, so it may not be the best solution in a single common-domain deployment. That said, there are still some advantages in using OAuth even in a common-domain architecture:</t>
        <ul spacing="normal">
          <li>
            <t>Allows more flexibility in the future, such as if you were to later add a new domain to the system. With OAuth already in place, adding a new domain wouldn't require any additional rearchitecting.</t>
          </li>
          <li>
            <t>Being able to take advantage of existing library support rather than writing bespoke code for the integration.</t>
          </li>
          <li>
            <t>Centralizing login and multi-factor authentication support, account management, and recovery at the OAuth server, rather than making it part of the application logic.</t>
          </li>
          <li>
            <t>Splitting of responsibilities between authenticating a user and serving resources</t>
          </li>
        </ul>
        <t>Using OAuth for browser-based applications in a first-party same-domain scenario provides these advantages, and can be accomplished by any of the architectural patterns described above.</t>
        <section anchor="threat-analysis-3">
          <name>Threat Analysis</name>
          <t>Due to the lack of using OAuth, this architecture pattern is only vulnerable to the following attack scenarios: Proxying Requests via the User's Browser (<xref target="scenario-proxy"/>). As a result, this pattern can lead to the following consequence: Client Hijacking (<xref target="consequence-hijack"/>)</t>
        </section>
      </section>
      <section anchor="implicit_flow">
        <name>OAuth Implicit Grant</name>
        <t>The OAuth 2.0 Implicit grant type (defined in <xref section="4.2" sectionFormat="of" target="RFC6749"/>)
works by the authorization server issuing an access token in the
authorization response (front channel) without an authorization code exchange step. In this case, the access
token is returned in the fragment part of the redirect URI, providing an attacker
with several opportunities to intercept and steal the access token.</t>
        <t>The security properties of the Implicit grant type make it no longer a recommended best practice. To effectively prevent the use of this flow, the authorization server MUST NOT issue access tokens in the authorization response, and MUST issue
access tokens only from the token endpoint. Browser-based clients MUST use the Authorization Code grant type and MUST NOT use the Implicit grant type to obtain access tokens.</t>
        <section anchor="historic-note">
          <name>Historic Note</name>
          <t>Historically, the Implicit grant type provided an advantage to browser-based applications since
JavaScript could always arbitrarily read and manipulate the fragment portion of the
URL without triggering a page reload. This was necessary in order to remove the
access token from the URL after it was obtained by the app. Additionally, until
CORS was widespread in browsers, the Implicit grant type
offered an alternative flow that didn't require CORS support in the browser or on the server.</t>
          <t>Modern browsers now have the Session History API (described in "Session history and
navigation" of <xref target="HTML"/>), which provides a mechanism to modify the path and query string
component of the URL without triggering a page reload. Additionally, CORS has widespread
support and is often used by single-page applications for many purposes. This means modern browser-based applications can
use the OAuth 2.0 Authorization Code grant type with PKCE, since they have the ability to
remove the authorization code from the query string without triggering a page reload
thanks to the Session History API, and CORS support at the token endpoint means the
app can obtain tokens even if the authorization server is on a different domain.</t>
        </section>
        <section anchor="threat-analysis-4">
          <name>Threat Analysis</name>
          <t>The architecture pattern discussed in this section is vulnerable to the following attack scenarios:</t>
          <ul spacing="normal">
            <li>
              <t>Single-Execution Token Theft <xref target="scenario-single-theft"/></t>
            </li>
            <li>
              <t>Persistent Token Theft <xref target="scenario-persistent-theft"/></t>
            </li>
            <li>
              <t>Acquisition and Extraction of New Tokens <xref target="scenario-new-flow"/></t>
            </li>
            <li>
              <t>Proxying Requests via the User's Browser <xref target="scenario-proxy"/></t>
            </li>
          </ul>
          <t>As a result, this pattern can lead to the following consequences:</t>
          <ul spacing="normal">
            <li>
              <t>Exploiting Stolen Refresh Tokens <xref target="consequence-rt"/></t>
            </li>
            <li>
              <t>Exploiting Stolen Access Tokens <xref target="consequence-at"/></t>
            </li>
            <li>
              <t>Client Hijacking <xref target="consequence-hijack"/></t>
            </li>
          </ul>
        </section>
        <section anchor="further-attacks-on-the-implicit-grant">
          <name>Further Attacks on the Implicit Grant</name>
          <t>Apart from the attack scenarios and consequences that were already discussed, there are a few additional attacks that further support the deprecation of the Implicit grant type. Many attacks on the Implicit grant type described by <xref target="RFC6819"/> and <xref section="4.1.2" sectionFormat="of" target="RFC9700"/>
do not have sufficient mitigation strategies. The following sections describe the specific
attacks that cannot be mitigated while continuing to use the Implicit grant type.</t>
          <section anchor="manipulation-of-the-redirect-uri">
            <name>Manipulation of the Redirect URI</name>
            <t>If an attacker is able to cause the authorization response to be sent to a URI under
their control, they will directly get access to the authorization response including the access token.
Several methods of performing this attack are described in detail in <xref target="RFC9700"/>.</t>
          </section>
          <section anchor="access-token-leak-in-browser-history">
            <name>Access Token Leak in Browser History</name>
            <t>An attacker could obtain the access token from the browser's history.
The countermeasures recommended by <xref target="RFC6819"/> are limited to using short expiration
times for tokens, and indicating that browsers should not cache the response.
Neither of these fully prevent this attack, they only reduce the potential damage.</t>
            <t>Additionally, many browsers now also sync browser history to cloud services and to
multiple devices, providing an even wider attack surface to extract access tokens
out of the URL.</t>
            <t>This is discussed in more detail in <xref section="4.3.2" sectionFormat="of" target="RFC9700"/>.</t>
          </section>
          <section anchor="manipulation-of-scripts">
            <name>Manipulation of Scripts</name>
            <t>An attacker could modify the page or inject scripts into the browser through various
means, including when the browser's HTTPS connection is being intercepted by, for
example, a corporate network. While attacks on the TLS layer are typically out of scope
of basic security recommendations to prevent, in the case of browser-based applications they are
much easier to perform. An injected script can enable an attacker to have access to everything
on the page.</t>
            <t>The risk of a malicious script running on the page may be amplified when the application
uses a known standard way of obtaining access tokens, namely that the attacker can
always look at the <tt>window.location</tt> variable to find an access token. This threat profile
is different from an attacker specifically targeting an individual application
by knowing where or how an access token obtained via the Authorization Code flow may
end up being stored.</t>
          </section>
          <section anchor="access-token-leak-to-third-party-scripts">
            <name>Access Token Leak to Third-Party Scripts</name>
            <t>It is relatively common to use third-party scripts in browser-based applications, such as
analytics tools, crash reporting, and even things like a social media "like" button.
In these situations, the author of the application may not be able to be fully aware
of the entirety of the code running in the application. When an access token is
returned in the fragment, it is visible to any third-party scripts on the page.</t>
          </section>
        </section>
        <section anchor="disadvantages-of-the-implicit-grant">
          <name>Disadvantages of the Implicit Grant</name>
          <t>There are several additional reasons the Implicit grant type is disadvantageous compared to
using the recommended Authorization Code grant type.</t>
          <ul spacing="normal">
            <li>
              <t>OAuth 2.0 provides no mechanism for a client to verify that a particular access token was
intended for that client, which could lead to misuse and possible impersonation attacks if
a malicious party hands off an access token it retrieved through some other means
to the client.</t>
            </li>
            <li>
              <t>Returning an access token in the front-channel redirect gives the authorization
server no assurance that the access token will actually end up at the
application, since there are many ways this redirect may fail or be intercepted.</t>
            </li>
            <li>
              <t>Supporting the Implicit grant type requires additional code, more upkeep and
understanding of the related security considerations. Limiting the
authorization server to just the Authorization Code grant type reduces the attack surface
of the implementation.</t>
            </li>
            <li>
              <t>If the browser-based application gets wrapped into a native app, then <xref target="RFC8252"/>
also requires the use of the Authorization Code grant type with PKCE anyway.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="resource-owner-password-grant">
        <name>Resource Owner Password Grant</name>
        <t>The Resource Owner Password Credentials Grant MUST NOT be used, as described in
<xref section="2.4" sectionFormat="of" target="RFC9700"/>. Instead, using the Authorization Code grant type
and redirecting the user to the authorization server
provides the authorization server the opportunity to prompt the user for
secure non-phishable authentication options, take advantage of single sign-on sessions,
or use third-party identity providers. In contrast, the Resource Owner Password Credentials Grant does not
provide any built-in mechanism for these, and would instead need to be extended with custom protocols.</t>
        <t>To conform to this best practice, browser-based applications using OAuth or OpenID
Connect MUST use a redirect-based flow (e.g. the OAuth Authorization Code grant type)
as described in this document.</t>
      </section>
      <section anchor="service-worker">
        <name>Handling the OAuth Flow in a Service Worker</name>
        <t>In an attempt to limit the attacker's ability to extract existing tokens or acquire a new set of tokens, a pattern using a Service Worker (<xref target="W3C.service-workers"/>) has been suggested in the past. In this pattern, the application's first action upon loading is registering a Service Worker. The Service Worker becomes responsible for executing the Authorization Code flow to obtain tokens and to augment outgoing requests to the resource server with the proper access token. Additionally, the Service Worker blocks the client application's code from making direct calls to the authorization server's endpoints. This restriction aims to target the attack scenario "Acquisition and Extraction of New Tokens" (<xref target="scenario-new-flow"/>).</t>
        <t>The sequence diagram included below illustrates the interactions between the client, the Service Worker, the authorization server, and the resource server.</t>
        <figure anchor="fig-bbapp-pattern-serviceworker">
          <name>OAuth 2.0 Service Worker Pattern</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="432" width="568" viewBox="0 0 568 432" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 16,64 L 16,368" fill="none" stroke="black"/>
                <path d="M 120,64 L 120,368" fill="none" stroke="black"/>
                <path d="M 224,64 L 224,368" fill="none" stroke="black"/>
                <path d="M 392,64 L 392,120" fill="none" stroke="black"/>
                <path d="M 392,168 L 392,216" fill="none" stroke="black"/>
                <path d="M 392,248 L 392,368" fill="none" stroke="black"/>
                <path d="M 512,64 L 512,368" fill="none" stroke="black"/>
                <path d="M 24,96 L 112,96" fill="none" stroke="black"/>
                <path d="M 128,112 L 216,112" fill="none" stroke="black"/>
                <path d="M 232,128 L 504,128" fill="none" stroke="black"/>
                <path d="M 232,224 L 504,224" fill="none" stroke="black"/>
                <path d="M 128,304 L 216,304" fill="none" stroke="black"/>
                <path d="M 232,352 L 384,352" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="512,224 500,218.4 500,229.6" fill="black" transform="rotate(0,504,224)"/>
                <polygon class="arrowhead" points="512,128 500,122.4 500,133.6" fill="black" transform="rotate(0,504,128)"/>
                <polygon class="arrowhead" points="392,352 380,346.4 380,357.6" fill="black" transform="rotate(0,384,352)"/>
                <polygon class="arrowhead" points="224,304 212,298.4 212,309.6" fill="black" transform="rotate(0,216,304)"/>
                <polygon class="arrowhead" points="224,112 212,106.4 212,117.6" fill="black" transform="rotate(0,216,112)"/>
                <polygon class="arrowhead" points="120,96 108,90.4 108,101.6" fill="black" transform="rotate(0,112,96)"/>
                <g class="text">
                  <text x="224" y="36">Service</text>
                  <text x="388" y="36">Resource</text>
                  <text x="512" y="36">Authorization</text>
                  <text x="20" y="52">User</text>
                  <text x="128" y="52">Application</text>
                  <text x="220" y="52">Worker</text>
                  <text x="388" y="52">Server</text>
                  <text x="508" y="52">Server</text>
                  <text x="68" y="84">browse</text>
                  <text x="460" y="116">/authorize</text>
                  <text x="276" y="148">redirect</text>
                  <text x="324" y="148">w/</text>
                  <text x="392" y="148">authorization</text>
                  <text x="468" y="148">code</text>
                  <text x="232" y="164">&lt;</text>
                  <text x="248" y="164">-</text>
                  <text x="264" y="164">-</text>
                  <text x="280" y="164">-</text>
                  <text x="296" y="164">-</text>
                  <text x="312" y="164">-</text>
                  <text x="328" y="164">-</text>
                  <text x="344" y="164">-</text>
                  <text x="360" y="164">-</text>
                  <text x="376" y="164">-</text>
                  <text x="392" y="164">-</text>
                  <text x="408" y="164">-</text>
                  <text x="424" y="164">-</text>
                  <text x="440" y="164">-</text>
                  <text x="456" y="164">-</text>
                  <text x="472" y="164">-</text>
                  <text x="488" y="164">-</text>
                  <text x="504" y="164">-</text>
                  <text x="280" y="196">token</text>
                  <text x="336" y="196">request</text>
                  <text x="268" y="212">w/</text>
                  <text x="300" y="212">auth</text>
                  <text x="340" y="212">code</text>
                  <text x="476" y="212">/token</text>
                  <text x="232" y="244">&lt;</text>
                  <text x="248" y="244">-</text>
                  <text x="264" y="244">-</text>
                  <text x="280" y="244">-</text>
                  <text x="296" y="244">-</text>
                  <text x="312" y="244">-</text>
                  <text x="328" y="244">-</text>
                  <text x="344" y="244">-</text>
                  <text x="360" y="244">-</text>
                  <text x="376" y="244">-</text>
                  <text x="392" y="244">-</text>
                  <text x="408" y="244">-</text>
                  <text x="424" y="244">-</text>
                  <text x="440" y="244">-</text>
                  <text x="456" y="244">-</text>
                  <text x="472" y="244">-</text>
                  <text x="488" y="244">-</text>
                  <text x="504" y="244">-</text>
                  <text x="172" y="276">resource</text>
                  <text x="168" y="292">request</text>
                  <text x="276" y="324">resource</text>
                  <text x="344" y="324">request</text>
                  <text x="252" y="340">w/</text>
                  <text x="292" y="340">access</text>
                  <text x="344" y="340">token</text>
                  <text x="20" y="388">User</text>
                  <text x="128" y="388">Application</text>
                  <text x="224" y="388">Service</text>
                  <text x="388" y="388">Resource</text>
                  <text x="512" y="388">Authorization</text>
                  <text x="220" y="404">Worker</text>
                  <text x="388" y="404">Server</text>
                  <text x="508" y="404">Server</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
                          Service             Resource     Authorization
  User      Application   Worker               Server         Server
   |            |            |                    |              |
   |   browse   |            |                    |              |
   |----------->|            |                    |              |
   |            |----------->|                    |   /authorize |
   |            |            |---------------------------------->|
   |            |            |  redirect w/ authorization code   |
   |            |            |< - - - - - - - - - - - - - - - - -|
   |            |            |                    |              |
   |            |            |    token request   |              |
   |            |            |    w/ auth code    |       /token |
   |            |            |---------------------------------->|
   |            |            |< - - - - - - - - - - - - - - - - -|
   |            |            |                    |              |
   |            |  resource  |                    |              |
   |            |  request   |                    |              |
   |            |----------->|                    |              |
   |            |            |  resource request  |              |
   |            |            |  w/ access token   |              |
   |            |            |------------------->|              |
   |            |            |                    |              |
  User      Application   Service             Resource     Authorization
                          Worker               Server         Server
]]></artwork>
          </artset>
        </figure>
        <t>Note that this pattern never exposes the tokens to the application running in the browser. Since the Service Worker runs in an isolated execution environment, there is no shared memory and no way for the client application to influence the execution of the Service Worker.</t>
        <section anchor="threat-analysis-5">
          <name>Threat Analysis</name>
          <t>The architecture pattern discussed in this section is vulnerable to the following attack scenarios:</t>
          <ul spacing="normal">
            <li>
              <t>Acquisition and Extraction of New Tokens <xref target="scenario-new-flow"/></t>
            </li>
            <li>
              <t>Proxying Requests via the User's Browser <xref target="scenario-proxy"/></t>
            </li>
          </ul>
          <t>As a result, this pattern can lead to the following consequences:</t>
          <ul spacing="normal">
            <li>
              <t>Exploiting Stolen Refresh Tokens <xref target="consequence-rt"/></t>
            </li>
            <li>
              <t>Exploiting Stolen Access Tokens <xref target="consequence-at"/></t>
            </li>
            <li>
              <t>Client Hijacking <xref target="consequence-hijack"/></t>
            </li>
          </ul>
          <section anchor="attacking-the-service-worker">
            <name>Attacking the Service Worker</name>
            <t>The seemingly promising security benefits of using a Service Worker warrant a more detailed discussion of its security limitations. To fully protect the application against the relevant attack scenarios (<xref target="attackscenarios"/>), the Service Worker needs to meet two security requirements:</t>
            <ol spacing="normal" type="1"><li>
                <t>Prevent an attacker from exfiltrating tokens</t>
              </li>
              <li>
                <t>Prevent an attacker from acquiring a new set of tokens</t>
              </li>
            </ol>
            <t>Once registered, the Service Worker runs an Authorization Code flow and obtains the tokens. Since the Service Worker keeps track of tokens in its own isolated execution environment, they are out of reach for any application code, including potentially malicious code. Consequentially, the Service Worker meets the first requirement of preventing token exfiltration. This essentially neutralizes the first two attack scenarios discussed in <xref target="attackscenarios"/>.</t>
            <t>To meet the second security requirement, the Service Worker must be able to guarantee that an attacker controlling the legitimate application cannot execute a new Authorization Code grant, an attack discussed in <xref target="scenario-new-flow"/>. Due to the nature of Service Workers, the registered Service Worker will be able to block all outgoing requests that initiate such a new flow, even when they occur in a frame or a new window.</t>
            <t>However, the malicious code running inside the application can unregister this Service Worker. Unregistering a Service Worker can have a significant functional impact on the application, so it is not an operation the browser handles lightly. Therefore, an unregistered Service Worker is marked as such, but all currently running instances remain active until their corresponding browsing context is terminated (e.g., by closing the tab or window). So even when an attacker unregisters a Service Worker, it remains active and able to prevent the attacker from reaching the authorization server.</t>
            <t>One of the consequences of unregistering a Service Worker is that it will not be present when a new browsing context is opened. So when the attacker first unregisters the Service Worker, and then starts a new flow in a frame, there will be no Service Worker associated with the browsing context of the frame. Consequentially, the attacker will be able to run its own new Authorization Code grant, extract the authorization code from the frame's URL, and exchange it for tokens. In essence, the Service Worker fails to meet the second security requirement, leaving it vulnerable to the scenario where the attacker acquires a new set of tokens (<xref target="scenario-new-flow"/>).</t>
            <t>Due to these shortcomings, combined with the significant complexity of registering and maintaining a Service Worker, this pattern is not recommended.</t>
            <t>Finally, note that the use of a Service Worker by itself does not increase the attack surface of the application. In practice, Service Workers are often used to retrofit a legacy application with support for including OAuth access tokens on outgoing requests. The Service Worker in these scenarios does not change the security properties of the application, but merely simplifies development and maintenance of the application.</t>
          </section>
        </section>
      </section>
    </section>
    <section anchor="token-storage">
      <name>Token Storage in the Browser</name>
      <t>When a browser-based application handles OAuth access tokens or refresh tokens directly, it becomes responsible for ephemerally or persistently storing the tokens. As a consequence, the application needs to decide how to manage the tokens (e.g., in-memory vs persistent storage), and which steps to take to further isolate the tokens from the main application code. This section discusses a few different storage mechanisms and their properties. These recommendations take into account the unique properties of OAuth tokens, some of which may overlap with general browser security recommendations.</t>
      <t>When discussing the security properties of browser-based token storage solutions, it is important to understand the attacker's capabilities when they compromise a browser-based application. Similar to previous discussions, two main attack scenarios should be taken into account:</t>
      <ol spacing="normal" type="1"><li>
          <t>The attacker obtaining tokens from storage</t>
        </li>
        <li>
          <t>The attacker obtaining tokens from the provider (e.g., the authorization server or the token-mediating backend)</t>
        </li>
      </ol>
      <t>Since the attacker's code becomes indistinguishable from the legitimate application's code, the attacker will always be able to request tokens from the provider in exactly the same way as the legitimate application code. As a result, not even a completely isolated token storage solution can address the dangers of the second threat, where the attacker requests tokens from the provider.</t>
      <t>That said, the different security properties of browser-based storage solutions will impact the attacker's ability to obtain existing tokens from storage.</t>
      <section anchor="cookies">
        <name>Cookies</name>
        <t>Browser cookies are both a storage mechanism and a transport mechanism. The browser automatically supports both through the corresponding request and response headers, resulting in the storage of cookies in the browser and the automatic inclusion of cookies on outgoing requests given it matches the cookie's domain, path, or other properties.</t>
        <t>Next to header-based control over cookies, browsers also offer a JavaScript Cookie API to get and set cookies. This Cookie API is often mistaken as an easy way to store data in the browser. In such a scenario, the JavaScript code stores a token in a cookie, with the intent to retrieve the token for later inclusion in the Authorization header of an API call. However, since the cookie is associated with the domain of the browser-based application, the browser will also send the cookie containing the token when making a request to the server running on this domain. One example of such a request is the browser loading the application after a previous visit to the application (step A in the diagram of <xref target="pattern-oauth-browser"/>).</t>
        <t>Because of these unintentional side effects of using cookies for JavaScript-based storage, this practice is NOT RECOMMENDED.</t>
        <t>Note that this practice is different from the use of cookies in a BFF (discussed in <xref target="pattern-bff-cookie-security"/>), where the cookie is inaccessible to JavaScript and is intended to be sent to the backend.</t>
      </section>
      <section anchor="token-storage-service-worker">
        <name>Token Storage in a Service Worker</name>
        <t>A Service Worker (<xref target="W3C.service-workers"/>) offers a fully isolated environment to keep track of tokens. These tokens are inaccessible to the client application, effectively protecting them against exfiltration. To guarantee the security of these tokens, the Service Worker cannot share these tokens with the application. Consequentially, whenever the application wants to perform an operation with a token, it has to ask the Service Worker to perform this operation and return the result.</t>
        <t>When aiming to isolate tokens from the application's execution context, the Service Worker MUST NOT store tokens in any persistent storage API that is shared with the main window. For example, currently, the IndexedDB storage is shared between the browsing context and Service Worker, so is not a suitable place for the Service Worker to persist data that should remain inaccessible to the main window. Consequentially, the Service Worker currently does not have access to an isolated persistent storage area.</t>
        <t>As discussed before, the use of a Service Worker does not prevent an attacker from obtaining a new set of tokens. Similarly, if the application is responsible for obtaining tokens from the authorization server and passing them to a Service Worker for further management, the attacker can perform the same operation as the legitimate application to obtain these tokens.</t>
      </section>
      <section anchor="token-storage-in-a-web-worker">
        <name>Token Storage in a Web Worker</name>
        <t>The application can use a Web Worker <xref target="WebWorker"/>, which results in an almost identical scenario as the previous one that relies on a Service Worker. The difference between a Service Worker and a Web Worker is the level of access and its runtime properties. Service Workers can intercept and modify outgoing requests, while Web Workers are just a way to run background tasks. Web Workers are ephemeral and disappear when the browsing context is closed, while Service Workers are persistent services registered in the browser.</t>
        <t>The security properties of using a Web Worker are identical to using Service Workers. When tokens are exposed to the application, they become vulnerable. When tokens need to be used, the operation that relies on them has to be carried out by the Web Worker.</t>
        <t>One common method to isolate the refresh token is to use Web Workers. In such a scenario, the application starts an Authorization Code flow from a Web Worker. The authorization code from the redirect is forwarded to the Web Worker, which then exchanges it for tokens. The Web Worker keeps the refresh token in memory and sends the access token to the main application. The main application uses the access token as desired. When the application needs to run a refresh token flow, it asks the Web Worker to do so, after which the application obtains a fresh access token.</t>
        <t>In this scenario, the application's own refresh token is effectively protected against exfiltration, but the access token is not. Additionally, nothing would prevent an attacker from obtaining their own tokens by running a new Authorization Code flow <xref target="scenario-new-flow"/>.</t>
      </section>
      <section anchor="token-storage-in-memory">
        <name>In-Memory Token Storage</name>
        <t>Another option is keeping tokens in memory, without using any persistent storage. Doing so limits the exposure of the tokens to the current execution context only, but has the downside of not being able to persist tokens between page loads.</t>
        <t>In a JavaScript execution environment, the security of in-memory token storage can be further enhanced by using a closure variable to effectively shield the token from direct access. By using closures, the token is only accessible to the pre-defined functions inside the closure, such as a function to make a request to the resource server.</t>
        <t>While closures work well in simple, isolated environments, they are tricky to secure in a complex environment like the browser's execution environment. For example, a closure relies on a variety of outside functions to execute its operations, such as <tt>toString</tt> functions or networking APIs. Using prototype poisoning, an attacker can substitute these functions with malicious versions, causing the closure's future operations to use these malicious versions. Inside the malicious function, the attacker can gain access to the function arguments, which may expose the tokens from within the closure to the attacker.</t>
      </section>
      <section anchor="token-storage-persistent">
        <name>Persistent Token Storage</name>
        <t>The persistent storage APIs currently available in browsers as of this writing are localStorage (<xref target="WebStorage"/>), sessionStorage (<xref target="WebStorage"/>), and <xref target="W3C.IndexedDB"/>.</t>
        <t>localStorage persists between page reloads as well as is shared across all tabs. This storage is accessible to the entire origin, and persists longer term. localStorage does not protect against unauthorized access from malicious JavaScript, as the attacker would be running code within the same origin, and as such, would be able to read the contents of the localStorage. Additionally, localStorage is a synchronous API, blocking other JavaScript until the operation completes.</t>
        <t>sessionStorage is similar to localStorage, except that the lifetime of sessionStorage is linked to the lifetime of a browser tab. Additionally, sessionStorage is not shared between multiple tabs open to pages on the same origin, which slightly reduces the exposure of the tokens in sessionStorage.</t>
        <t>IndexedDB is a persistent storage mechanism like localStorage, but is shared between multiple tabs as well as between the browsing context and Service Workers. Additionally, IndexedDB is an asynchronous API, which is preferred over the synchronous localStorage API.</t>
        <t>Note that the main difference between these patterns is the exposure of the data, but that none of these options can fully mitigate token exfiltration when the attacker can execute malicious code in the application's execution environment.</t>
      </section>
      <section anchor="filesystem-considerations">
        <name>Filesystem Considerations for Browser Storage APIs</name>
        <t>In all cases, as of this writing, there is no guarantee that browser storage is encrypted at rest. This behavior potentially exposes tokens to attackers that have the ability to read files on disk. While such attacks rely on capabilities that are well beyond the scope of browser-based applications, this topic highlights an important attack vector against modern applications. More and more malware is specifically created to crawl user's machines looking for browser profiles to obtain high-value tokens and session cookies, resulting in account takeover attacks.</t>
        <t>While the browser-based application is incapable of mitigating such attacks, the application can mitigate the consequences of such an attack by ensuring data confidentiality using encryption. The <xref target="W3C.WebCryptoAPI"/> provides a mechanism for JavaScript code to generate a secret key, as well as an option for that key to be non-exportable. A JavaScript application could then use this API to encrypt and decrypt tokens before storing them. However, the <xref target="W3C.WebCryptoAPI"/> specification only ensures that the key is not exportable to the browser code, but does not place any requirements on the underlying storage of the key itself with the operating system. As such, a non-exportable key cannot be relied on as a way to protect against exfiltration from the underlying filesystem.</t>
        <t>In order to protect against token exfiltration from the filesystem, the encryption keys would need to be stored somewhere other than the filesystem, such as on a remote server. This introduces new complexity for a purely browser-based app, and is out of scope of this document.</t>
      </section>
    </section>
    <section anchor="security-considerations-3">
      <name>Security Considerations</name>
      <section anchor="reducing-the-authority-of-tokens">
        <name>Reducing the Authority of Tokens</name>
        <t>A general security best practice in the OAuth world is to minimize the authority associated with access tokens. This best practice is applicable to all the architectures discussed in this specification. Concretely, the following considerations can help reducing the authority of access tokens:</t>
        <ul spacing="normal">
          <li>
            <t>Reduce the lifetime of access tokens and rely on refresh tokens for access token renewal</t>
          </li>
          <li>
            <t>Reduce the scopes or permissions associated with the access token</t>
          </li>
          <li>
            <t>Use <xref target="RFC8707"/> to restrict access tokens to a single resource</t>
          </li>
        </ul>
        <t>When OpenID Connect is used, it is important to avoid sensitive information disclosure through the claims in the ID Token. The authorization server SHOULD NOT include any ID token claims that aren't used by the client.</t>
      </section>
      <section anchor="sender-constrained-tokens">
        <name>Sender-Constrained Tokens</name>
        <t>As discussed throughout this document, the use of sender-constrained tokens does not solve the security limitations of browser-only OAuth clients. However, when the level of security offered by a token-mediating backend (<xref target="pattern-tmb"/>) or a browser-only OAuth client (<xref target="pattern-oauth-browser"/>) suffices for the use case at hand, sender-constrained tokens can be used to enhance the security of both access tokens and refresh tokens. One method of implementing sender-constrained tokens in a way that is usable from browser-based applications is DPoP <xref target="RFC9449"/>.</t>
        <t>When using sender-constrained tokens, the OAuth client has to prove possession of a private key in order to use the token, such that the token isn't usable by itself. If a sender-constrained token is stolen, the attacker wouldn't be able to use the token directly, they would need to also steal the private key. In essence, one could say that using sender-constrained tokens shifts the challenge of securely storing the token to securely storing the private key. Ideally, the application should use a non-exportable private key, such as generating one with the <xref target="W3C.WebCryptoAPI"/>. With an unencrypted token in the browser storage protected by a non-exportable private key, an XSS attack would not be able to extract the key, so the token would not be usable by the attacker.</t>
        <t>If the application is unable to use an API that generates a non-exportable key, the application should take measures to isolate the private key from its own execution context. The techniques for doing so are similar to using a secure token storage mechanism, as discussed in <xref target="token-storage"/>.</t>
        <t>While a non-exportable key is protected from exfiltration from within the JavaScript context, the exfiltration of the underlying private key from the filesystem is still a potential attack vector. At the time of writing, there is no guarantee made by the <xref target="W3C.WebCryptoAPI"/> that a non-exportable key is actually protected by a Trusted Platform Module (TPM) or stored in an encrypted form on disk. Exfiltration of the non-exportable key from the underlying filesystem may still be possible if the attacker can get access to the filesystem of the user's machine, for example via malware. This effectively makes the potential attack vector equivalent to a session hijacking attack.</t>
      </section>
      <section anchor="auth_server_mixup">
        <name>Authorization Server Mix-Up Mitigation</name>
        <t>Authorization server mix-up attacks mark a severe threat to every client that supports
at least two authorization servers. <xref section="4.4" sectionFormat="of" target="RFC9700"/> provides additional details about mix-up attacks
and the countermeasures mentioned above.</t>
      </section>
      <section anchor="isolating-applications-using-origins">
        <name>Isolating Applications using Origins</name>
        <t>Many of the web's security mechanisms rely on origins, which are defined as the triple <tt>&lt;scheme, hostname, port&gt;</tt>. For example, browsers automatically isolate browsing contexts with different origins, limit resources to certain origins, and apply CORS restrictions to outgoing cross-origin requests.</t>
        <t>Therefore, it is considered a best practice to avoid deploying more than one application in a single origin. An architecture that only deploys a single application in an origin can leverage these browser restrictions to increase the security of the application. Additionally, having a single origin per application makes it easier to configure and deploy security measures such as CORS, CSP, etc.</t>
      </section>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This document does not require any IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC6749" target="https://www.rfc-editor.org/info/rfc6749" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6749.xml">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC6750" target="https://www.rfc-editor.org/info/rfc6750" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6750.xml">
          <front>
            <title>The OAuth 2.0 Authorization Framework: Bearer Token Usage</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="D. Hardt" initials="D." surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6750"/>
          <seriesInfo name="DOI" value="10.17487/RFC6750"/>
        </reference>
        <reference anchor="RFC7636" target="https://www.rfc-editor.org/info/rfc7636" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7636.xml">
          <front>
            <title>Proof Key for Code Exchange by OAuth Public Clients</title>
            <author fullname="N. Sakimura" initials="N." role="editor" surname="Sakimura"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Agarwal" initials="N." surname="Agarwal"/>
            <date month="September" year="2015"/>
            <abstract>
              <t>OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy").</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7636"/>
          <seriesInfo name="DOI" value="10.17487/RFC7636"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8252" target="https://www.rfc-editor.org/info/rfc8252" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8252.xml">
          <front>
            <title>OAuth 2.0 for Native Apps</title>
            <author fullname="W. Denniss" initials="W." surname="Denniss"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <date month="October" year="2017"/>
            <abstract>
              <t>OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user's browser. This specification details the security and usability reasons why this is the case and how native apps and authorization servers can implement this best practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="212"/>
          <seriesInfo name="RFC" value="8252"/>
          <seriesInfo name="DOI" value="10.17487/RFC8252"/>
        </reference>
        <reference anchor="RFC8707" target="https://www.rfc-editor.org/info/rfc8707" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8707.xml">
          <front>
            <title>Resource Indicators for OAuth 2.0</title>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>This document specifies an extension to the OAuth 2.0 Authorization Framework defining request parameters that enable a client to explicitly signal to an authorization server about the identity of the protected resource(s) to which it is requesting access.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8707"/>
          <seriesInfo name="DOI" value="10.17487/RFC8707"/>
        </reference>
        <reference anchor="RFC9449" target="https://www.rfc-editor.org/info/rfc9449" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9449.xml">
          <front>
            <title>OAuth 2.0 Demonstrating Proof of Possession (DPoP)</title>
            <author fullname="D. Fett" initials="D." surname="Fett"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="D. Waite" initials="D." surname="Waite"/>
            <date month="September" year="2023"/>
            <abstract>
              <t>This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9449"/>
          <seriesInfo name="DOI" value="10.17487/RFC9449"/>
        </reference>
        <reference anchor="RFC9700" target="https://www.rfc-editor.org/info/rfc9700" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9700.xml">
          <front>
            <title>Best Current Practice for OAuth 2.0 Security</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="A. Labunets" initials="A." surname="Labunets"/>
            <author fullname="D. Fett" initials="D." surname="Fett"/>
            <date month="January" year="2025"/>
            <abstract>
              <t>This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="240"/>
          <seriesInfo name="RFC" value="9700"/>
          <seriesInfo name="DOI" value="10.17487/RFC9700"/>
        </reference>
        <reference anchor="Fetch" target="https://fetch.spec.whatwg.org/">
          <front>
            <title>Fetch</title>
            <author initials="" surname="whatwg" fullname="whatwg">
              <organization/>
            </author>
            <date year="2024" month="December"/>
          </front>
        </reference>
        <reference anchor="W3C.service-workers" target="https://www.w3.org/TR/service-workers/" xml:base="https://bib.ietf.org/public/rfc/bibxml4/reference.W3C.service-workers.xml">
          <front>
            <title>Service Workers</title>
            <author/>
          </front>
          <seriesInfo name="W3C CR" value="service-workers"/>
          <seriesInfo name="W3C" value="service-workers"/>
        </reference>
        <reference anchor="WebMessaging" target="https://html.spec.whatwg.org/#web-messaging">
          <front>
            <title>HTML - Cross-document messaging</title>
            <author initials="" surname="whatwg" fullname="whatwg">
              <organization/>
            </author>
            <date year="2025" month="January"/>
          </front>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC6819" target="https://www.rfc-editor.org/info/rfc6819" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6819.xml">
          <front>
            <title>OAuth 2.0 Threat Model and Security Considerations</title>
            <author fullname="T. Lodderstedt" initials="T." role="editor" surname="Lodderstedt"/>
            <author fullname="M. McGloin" initials="M." surname="McGloin"/>
            <author fullname="P. Hunt" initials="P." surname="Hunt"/>
            <date month="January" year="2013"/>
            <abstract>
              <t>This document gives additional security considerations for OAuth, beyond those in the OAuth 2.0 specification, based on a comprehensive threat model for the OAuth 2.0 protocol. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6819"/>
          <seriesInfo name="DOI" value="10.17487/RFC6819"/>
        </reference>
        <reference anchor="I-D.ietf-httpbis-layered-cookies" target="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-layered-cookies-02" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-httpbis-layered-cookies.xml">
          <front>
            <title>Cookies: HTTP State Management Mechanism</title>
            <author fullname="Anne van Kesteren" initials="A." surname="van Kesteren">
              <organization>Apple</organization>
            </author>
            <author fullname="Johann Hofmann" initials="J." surname="Hofmann">
              <organization>Google</organization>
            </author>
            <date day="21" month="May" year="2026"/>
            <abstract>
              <t>This document defines the HTTP Cookie and Set-Cookie header fields. These header fields can be used by HTTP servers to store state (called cookies) at HTTP user agents, letting the servers maintain a stateful session over the mostly stateless HTTP protocol. Although cookies have many historical infelicities that degrade their security and privacy, the Cookie and Set-Cookie header fields are widely used on the Internet. This document obsoletes RFC 6265 and 6265bis.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-layered-cookies-02"/>
        </reference>
        <reference anchor="I-D.ietf-httpbis-rfc6265bis" target="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-22" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-httpbis-rfc6265bis.xml">
          <front>
            <title>Cookies: HTTP State Management Mechanism</title>
            <author fullname="Steven Bingler" initials="S." surname="Bingler"/>
            <author fullname="Mike West" initials="M." surname="West">
              <organization>Google LLC</organization>
            </author>
            <author fullname="John Wilander" initials="J." surname="Wilander">
              <organization>Apple, Inc</organization>
            </author>
            <date day="1" month="December" year="2025"/>
            <abstract>
              <t>This document defines the HTTP Cookie and Set-Cookie header fields. These header fields can be used by HTTP servers to store state (called cookies) at HTTP user agents, letting the servers maintain a stateful session over the mostly stateless HTTP protocol. Although cookies have many historical flaws that degrade their security and privacy, the Cookie and Set-Cookie header fields are widely used on the Internet. This document obsoletes RFC 6265.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-rfc6265bis-22"/>
        </reference>
        <reference anchor="HTML" target="https://html.spec.whatwg.org/">
          <front>
            <title>HTML</title>
            <author initials="" surname="whatwg" fullname="whatwg">
              <organization/>
            </author>
            <date year="2025" month="January"/>
          </front>
        </reference>
        <reference anchor="OpenID" target="https://openid.net/specs/openid-connect-core-1_0-errata2.html">
          <front>
            <title>OpenID Connect Core 1.0 incorporating errata set 2</title>
            <author initials="N." surname="Sakimura">
              <organization/>
            </author>
            <author initials="J." surname="Bradley">
              <organization/>
            </author>
            <author initials="M." surname="Jones">
              <organization/>
            </author>
            <author initials="B." surname="de Medeiros">
              <organization/>
            </author>
            <author initials="C." surname="Mortimore">
              <organization/>
            </author>
            <date year="2023" month="December"/>
          </front>
        </reference>
        <reference anchor="W3C.CSP3" target="https://www.w3.org/TR/CSP3/" xml:base="https://bib.ietf.org/public/rfc/bibxml4/reference.W3C.CSP3.xml">
          <front>
            <title>Content Security Policy Level 3</title>
            <author/>
          </front>
          <seriesInfo name="W3C WD" value="CSP3"/>
          <seriesInfo name="W3C" value="CSP3"/>
        </reference>
        <reference anchor="W3C.IndexedDB" target="https://www.w3.org/TR/IndexedDB/" xml:base="https://bib.ietf.org/public/rfc/bibxml4/reference.W3C.IndexedDB.xml">
          <front>
            <title>Indexed Database API</title>
            <author/>
          </front>
          <seriesInfo name="W3C REC" value="IndexedDB"/>
          <seriesInfo name="W3C" value="IndexedDB"/>
        </reference>
        <reference anchor="W3C.SRI" target="https://www.w3.org/TR/SRI/" xml:base="https://bib.ietf.org/public/rfc/bibxml4/reference.W3C.SRI.xml">
          <front>
            <title>Subresource Integrity</title>
            <author/>
          </front>
          <seriesInfo name="W3C REC" value="SRI"/>
          <seriesInfo name="W3C" value="SRI"/>
        </reference>
        <reference anchor="W3C.WebCryptoAPI" target="https://www.w3.org/TR/WebCryptoAPI/" xml:base="https://bib.ietf.org/public/rfc/bibxml4/reference.W3C.WebCryptoAPI.xml">
          <front>
            <title>Web Cryptography API</title>
            <author/>
          </front>
          <seriesInfo name="W3C REC" value="WebCryptoAPI"/>
          <seriesInfo name="W3C" value="WebCryptoAPI"/>
        </reference>
        <reference anchor="W3C.wasm-core-2" target="https://www.w3.org/TR/wasm-core-2/" xml:base="https://bib.ietf.org/public/rfc/bibxml4/reference.W3C.wasm-core-2.xml">
          <front>
            <title>WebAssembly Core Specification</title>
            <author/>
          </front>
          <seriesInfo name="W3C CR" value="wasm-core-2"/>
          <seriesInfo name="W3C" value="wasm-core-2"/>
        </reference>
        <reference anchor="WebStorage" target="https://html.spec.whatwg.org/#webstorage">
          <front>
            <title>HTML Living Standard - Web Storage</title>
            <author initials="" surname="whatwg" fullname="whatwg">
              <organization/>
            </author>
            <date year="2025" month="January"/>
          </front>
        </reference>
        <reference anchor="WebWorker" target="https://html.spec.whatwg.org/#toc-workers">
          <front>
            <title>HTML Living Standard - Web workers</title>
            <author initials="" surname="whatwg" fullname="whatwg">
              <organization/>
            </author>
            <date year="2025" month="January"/>
          </front>
        </reference>
        <reference anchor="Site" target="https://developer.mozilla.org/en-US/docs/Glossary/Site">
          <front>
            <title>Site</title>
            <author initials="M." surname="Contributors" fullname="MDN Contributors">
              <organization>Mozilla Developer Network</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="OWASPCheatSheet" target="https://cheatsheetseries.owasp.org/">
          <front>
            <title>OWASP Cheat Sheet</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="SessionFixation" target="https://owasp.org/www-community/attacks/Session_fixation">
          <front>
            <title>Session Fixation</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="CryptoKeyPair" target="https://developer.mozilla.org/en-US/docs/Web/API/CryptoKeyPair">
          <front>
            <title>CryptoKeyPair</title>
            <author initials="M." surname="Contributors" fullname="MDN Contributors">
              <organization>Mozilla Developer Network</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
    </references>
    <?line 1438?>

<section anchor="document-history">
      <name>Document History</name>
      <t>[[ To be removed from the final specification ]]</t>
      <t>-26</t>
      <ul spacing="normal">
        <li>
          <t>Change to fixed-width formatting for cookie attributes</t>
        </li>
      </ul>
      <t>-25</t>
      <ul spacing="normal">
        <li>
          <t>Use consistent terminology for "browser-based application", and use JavaScript only when explicitly needed</t>
        </li>
        <li>
          <t>Replaced "hard drive" with "local persistent storage"</t>
        </li>
        <li>
          <t>Added a note about operational considerations for the BFF pattern</t>
        </li>
        <li>
          <t>"Forwarding" instead of "Proxying" to avoid confusion with HTTP proxies</t>
        </li>
        <li>
          <t>Minor editorial nits</t>
        </li>
        <li>
          <t>Added more references to terminology on first use</t>
        </li>
        <li>
          <t>Added a reference for Session Fixation</t>
        </li>
      </ul>
      <t>-24</t>
      <ul spacing="normal">
        <li>
          <t>Updated terminology definitions</t>
        </li>
        <li>
          <t>Fixed typos</t>
        </li>
        <li>
          <t>Updated acknowledgements</t>
        </li>
      </ul>
      <t>-23</t>
      <ul spacing="normal">
        <li>
          <t>Ensure acronyms and other specifications are defined and referenced on first use, and added to terminology</t>
        </li>
        <li>
          <t>Clarified mailicious JavaScript is the basis of the threat analysis earlier in the document</t>
        </li>
        <li>
          <t>Clarified why filesystem storage of private key is a concern</t>
        </li>
        <li>
          <t>Clarified JS runtimes in intro</t>
        </li>
        <li>
          <t>Addressed feedback from secdir review</t>
        </li>
        <li>
          <t>Clarified that the specific attacks described are the relevant ones for this document because they are OAuth-specific</t>
        </li>
        <li>
          <t>Described the relationship to session fixation attacks</t>
        </li>
        <li>
          <t>Clarified that section 8 is talking about OAuth tokens specifically</t>
        </li>
        <li>
          <t>Mentioned that localStorage is synchronous</t>
        </li>
        <li>
          <t>Applied suggestions about scope of malicious JS code from Martin Thompson's review</t>
        </li>
        <li>
          <t>Clarified "attacking the service worker" to be explicit that this is about the authorization code flow</t>
        </li>
        <li>
          <t>Clarified the intent of storing the refresh token in a web worker</t>
        </li>
        <li>
          <t>Mention explicitly access token and refresh token instead of "set of tokens" on first use per section</t>
        </li>
        <li>
          <t>Slightly rephrased Web Worker section to not sound like a recommendation</t>
        </li>
        <li>
          <t>Editorial edits to remove the phrase "perfect storage mechanism"</t>
        </li>
        <li>
          <t>Fixed references</t>
        </li>
        <li>
          <t>Addressed all feedback from the genart, opsdir, artart, secdir, and httpdir reviews</t>
        </li>
      </ul>
      <t>-22</t>
      <ul spacing="normal">
        <li>
          <t>Addressed AD review</t>
        </li>
        <li>
          <t>Moved RFC6819 reference to informal</t>
        </li>
        <li>
          <t>Added missing references from prose</t>
        </li>
        <li>
          <t>Replaced references to living standards with references to snapshots</t>
        </li>
      </ul>
      <t>-21</t>
      <ul spacing="normal">
        <li>
          <t>Removed unused references</t>
        </li>
        <li>
          <t>Removed reference to TMI-BFF individual draft</t>
        </li>
        <li>
          <t>Moved some references to the normative reference section</t>
        </li>
      </ul>
      <t>-20</t>
      <ul spacing="normal">
        <li>
          <t>Handled review comments from Rifaat (email 2024-11-13)</t>
        </li>
      </ul>
      <t>-19</t>
      <ul spacing="normal">
        <li>
          <t>Updated DPoP references to RFC9449</t>
        </li>
        <li>
          <t>Corrected spelling of Brian Campbell's name</t>
        </li>
      </ul>
      <t>-18</t>
      <ul spacing="normal">
        <li>
          <t>Addressed last call comments from Justin Richer</t>
        </li>
        <li>
          <t>Updated description of the benfits of Token-Mediating Backend pattern</t>
        </li>
        <li>
          <t>Added SVG diagrams in HTML version</t>
        </li>
        <li>
          <t>Added privacy considerations for BFF pattern</t>
        </li>
        <li>
          <t>Consistent use of "grant type", "grant" and "flow"</t>
        </li>
      </ul>
      <t>-17</t>
      <ul spacing="normal">
        <li>
          <t>Added a section on anti-forgery/double-submit cookies as another form of CSRF protection</t>
        </li>
        <li>
          <t>Updated CORS terminology</t>
        </li>
        <li>
          <t>Moved new section on in-browser flows as not applicable to BFF or TM patterns</t>
        </li>
        <li>
          <t>Fixed usage of some browser technology terminology</t>
        </li>
        <li>
          <t>Editorial improvements</t>
        </li>
      </ul>
      <t>-16</t>
      <ul spacing="normal">
        <li>
          <t>Applied editorial changes from Filip Skokan and Louis Jannett</t>
        </li>
        <li>
          <t>Clarified when cookie encryption applies</t>
        </li>
        <li>
          <t>Added a section with security considerations on the use of postMessage</t>
        </li>
      </ul>
      <t>-15</t>
      <ul spacing="normal">
        <li>
          <t>Consolidated guidelines for public JS clients in a single section</t>
        </li>
        <li>
          <t>Added more focus on best practices at the start of the document</t>
        </li>
        <li>
          <t>Restructured document to have top-level recommended and discouraged architecture patterns</t>
        </li>
        <li>
          <t>Added Philippe De Ryck as an author</t>
        </li>
      </ul>
      <t>-14</t>
      <ul spacing="normal">
        <li>
          <t>Minor editorial fixes and clarifications</t>
        </li>
        <li>
          <t>Updated some references</t>
        </li>
        <li>
          <t>Added a paragraph noting the possible exfiltration of a non-exportable key from the filesystem</t>
        </li>
      </ul>
      <t>-13</t>
      <ul spacing="normal">
        <li>
          <t>Corrected some uses of "DOM"</t>
        </li>
        <li>
          <t>Consolidated CSRF recommendations into normative part of the document</t>
        </li>
        <li>
          <t>Added links from the summary into the later sections</t>
        </li>
        <li>
          <t>Described limitations of Service Worker storage</t>
        </li>
        <li>
          <t>Minor editorial improvements</t>
        </li>
      </ul>
      <t>-12</t>
      <ul spacing="normal">
        <li>
          <t>Revised overview and server support checklist to bring them up to date with the rest of the draft</t>
        </li>
        <li>
          <t>Added a new section about options for storing tokens</t>
        </li>
        <li>
          <t>Added a section on sender-constrained tokens and a reference to DPoP</t>
        </li>
        <li>
          <t>Rephrased the architecture patterns to focus on token acquisition</t>
        </li>
        <li>
          <t>Added a section discussing why not to use the Cookie API to store tokens</t>
        </li>
      </ul>
      <t>-11</t>
      <ul spacing="normal">
        <li>
          <t>Added a new architecture pattern: Token-Mediating Backend</t>
        </li>
        <li>
          <t>Revised and added clarifications for the Service Worker pattern</t>
        </li>
        <li>
          <t>Editorial improvements in descriptions of the different architectures</t>
        </li>
        <li>
          <t>Rephrased headers</t>
        </li>
      </ul>
      <t>-10</t>
      <ul spacing="normal">
        <li>
          <t>Revised the names of the architectural patterns</t>
        </li>
        <li>
          <t>Added a new pattern using a service worker as the OAuth client to manage tokens</t>
        </li>
        <li>
          <t>Added some considerations when storing tokens in Local or Session Storage</t>
        </li>
      </ul>
      <t>-09</t>
      <ul spacing="normal">
        <li>
          <t>Provide additional context for the same-domain architecture pattern</t>
        </li>
        <li>
          <t>Added reference to draft-ietf-httpbis-rfc6265bis to clarify that SameSite is not the only CSRF protection measure needed</t>
        </li>
        <li>
          <t>Editorial improvements</t>
        </li>
      </ul>
      <t>-08</t>
      <ul spacing="normal">
        <li>
          <t>Added a note to use the "Secure" cookie attribute in addition to SameSite etc</t>
        </li>
        <li>
          <t>Updates to bring this draft in sync with the latest Security BCP</t>
        </li>
        <li>
          <t>Updated text for mix-up countermeasures to reference the new "iss" extension</t>
        </li>
        <li>
          <t>Changed "SHOULD" for refresh token rotation to MUST either use rotation or sender-constraining to match the Security BCP</t>
        </li>
        <li>
          <t>Fixed references to other specs and extensions</t>
        </li>
        <li>
          <t>Editorial improvements in descriptions of the different architectures</t>
        </li>
      </ul>
      <t>-07</t>
      <ul spacing="normal">
        <li>
          <t>Clarify PKCE requirements apply only to issuing access tokens</t>
        </li>
        <li>
          <t>Change "MUST" to "SHOULD" for refresh token rotation</t>
        </li>
        <li>
          <t>Editorial clarifications</t>
        </li>
      </ul>
      <t>-06</t>
      <ul spacing="normal">
        <li>
          <t>Added refresh token requirements to AS summary</t>
        </li>
        <li>
          <t>Editorial clarifications</t>
        </li>
      </ul>
      <t>-05</t>
      <ul spacing="normal">
        <li>
          <t>Incorporated editorial and substantive feedback from Mike Jones</t>
        </li>
        <li>
          <t>Added references to "nonce" as another way to prevent CSRF attacks</t>
        </li>
        <li>
          <t>Updated headers in the Implicit grant type section to better represent the relationship between the paragraphs</t>
        </li>
      </ul>
      <t>-04</t>
      <ul spacing="normal">
        <li>
          <t>Disallow the use of the Password Grant</t>
        </li>
        <li>
          <t>Add PKCE support to summary list for authorization server requirements</t>
        </li>
        <li>
          <t>Rewrote refresh token section to allow refresh tokens if they are time-limited, rotated on each use, and requiring that the rotated refresh token lifetimes do not extend past the lifetime of the initial refresh token, and to bring it in line with the Security BCP</t>
        </li>
        <li>
          <t>Updated recommendations on using state to reflect the Security BCP</t>
        </li>
        <li>
          <t>Updated server support checklist to reflect latest changes</t>
        </li>
        <li>
          <t>Updated the same-domain JS architecture section to emphasize the architecture rather than domain</t>
        </li>
        <li>
          <t>Editorial clarifications in the section that talks about OpenID Connect ID tokens</t>
        </li>
      </ul>
      <t>-03</t>
      <ul spacing="normal">
        <li>
          <t>Updated the historic note about the fragment URL clarifying that the Session History API means browsers can use the unmodified Authorization Code grant type</t>
        </li>
        <li>
          <t>Rephrased "Authorization Code grant type" intro paragraph to better lead into the next two sections</t>
        </li>
        <li>
          <t>Softened "is likely a better decision to avoid using OAuth entirely" to "it may be..." for common-domain deployments</t>
        </li>
        <li>
          <t>Updated abstract to not be limited to public clients, since the later sections talk about confidential clients</t>
        </li>
        <li>
          <t>Removed references to avoiding OpenID Connect for same-domain architectures</t>
        </li>
        <li>
          <t>Updated headers to better describe architectures (Applications Served from a Static Web Server -&gt; JavaScript Applications without a Backend)</t>
        </li>
        <li>
          <t>Expanded "same-domain architecture" section to better explain the problems that OAuth has in this scenario</t>
        </li>
        <li>
          <t>Referenced Security BCP in Implicit grant type attacks where possible</t>
        </li>
        <li>
          <t>Minor typo corrections</t>
        </li>
      </ul>
      <t>-02</t>
      <ul spacing="normal">
        <li>
          <t>Rewrote overview section incorporating feedback from Leo Tohill</t>
        </li>
        <li>
          <t>Updated summary recommendation bullet points to split out application and server requirements</t>
        </li>
        <li>
          <t>Removed the allowance on hostname-only redirect URI matching, now requiring exact redirect URI matching</t>
        </li>
        <li>
          <t>Updated Section 6.2 to drop reference of SPA with a backend component being a public client</t>
        </li>
        <li>
          <t>Expanded the architecture section to explicitly mention three architectural patterns available to JS applications</t>
        </li>
      </ul>
      <t>-01</t>
      <ul spacing="normal">
        <li>
          <t>Incorporated feedback from Torsten Lodderstedt</t>
        </li>
        <li>
          <t>Updated abstract</t>
        </li>
        <li>
          <t>Clarified the definition of browser-based applications to not exclude applications cached in the browser, e.g. via Service Workers</t>
        </li>
        <li>
          <t>Clarified use of the state parameter for CSRF protection</t>
        </li>
        <li>
          <t>Added background information about the original reason the Implicit grant type was created due to lack of CORS support</t>
        </li>
        <li>
          <t>Clarified the same-domain use case where the SPA and API share a cookie domain</t>
        </li>
        <li>
          <t>Moved historic note about the fragment URL into the Overview</t>
        </li>
      </ul>
    </section>
    <section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>The authors would like to acknowledge the work of William Denniss and John Bradley,
whose recommendation for native applications informed many of the best practices for
browser-based applications. The authors would also like to thank Hannes Tschofenig
and Torsten Lodderstedt, the attendees of the Internet Identity Workshop 27
session at which this BCP was originally proposed, and the following individuals
who contributed ideas, feedback, and wording that shaped and formed the final specification:</t>
      <t>Andy Barlow, Andy Newton, Annabelle Backman, Brian Campbell, Brock Allen, Christian Mainka, Damien Bowden,
Daniel Fett, Deb Cooley, Elar Lang, Emmanuel Gautier, Eric Vyncke, Erik Kline, Eva Sarafianou,
Filip Skokan, George Fletcher, Hannes Tschofenig, Janak Amarasena, John Bradley, Joseph Heenan,
Justin Richer, Karl McGuinness, Karsten Meyer zu Selhausen, Leo Tohill, Louis Jannett,
Marc Blanchet, Martin Thomson, Matthew Bocci, Mike Bishop, Mike Jones, Mohamed Boucadair, Orie Steele, Qin Wu,
Rifaat Shekh-Yusef, Roman Danyliw, Sean Kelleher, Thomas Broyer, Thomas Fossati, Tomek Stojecki,
Torsten Lodderstedt, Vittorio Bertocci, Watson Ladd, William Duncan, and Yannick Majoros.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+y9a5vbxpUu+p2/Ao/8wa2EbNlKHCc6e+bZujmWY1k6avlk
7y9jgSTYjREJcACwWz2K57fvda9VhQK7JdnJzNmjecaRSKJQl1Xrvt61WCxm
Qz1sqwfFi4eH4aK4f/pFsWm74lHXXvVVt3hU9tW6eLjfb+tVOdRt08/W7aop
d/DEuis3w6Kuhs2iLeHhxVIeWuJDi3K/7xf3v57N6n33oBi6Qz/c/+KLP31x
f1Z2VfmgOKtWh64ermdXbff2vGsP+wfFX6tlgfNou/rf6XXFy64d2lW7nb29
elA8a4aqa6ph8QRfPYMZPSiWq/1stmrXdXP+oDj0i7Jf1fVsXz+YFQU8+aC4
rnr4a992Q1dtevv39S78c1bSO/GRBfx/UdQNfPPwtHgJU129rekzXvTDssNZ
uc/bDl784u1Q0r+qXVlvHxQl/ux/7vlnp6t2R1/Ceh8UF8Ow7x/cu0c/iX/h
Xv7ytHhSFa+uV2/dy19e1Nt6v6+ir+j9L7vyfAc7tqIttK11M9rLs/9zrz+9
qpa9/HD8/ienxV/Leqjc25+Ul/Xafcovhn0vnq2rZkjet8Zf/89y+7bc1k21
6NvtgeiHXjWbNW2Hk7iscNNfffP4/pdf/kn++oevfx/++tUX8tev//C7P8hf
//jl17/Xv97/6r7+9esvvpa//un3NsKfvv6CRvimGlYXD2iCQvD0CX0QTj8s
9uqiHK7O5SPaEffJuhxwP6pVtVtWXfHln+bF/S/u/55HL7vzagjHvMHXnPb7
anXKI5zCvt2Dn/71d49P4bZc1qtqgVeg6nq8FPTBX+nf+KNq+bzq+/IcydvP
/tvXz78vFsXjru37BVzJww6OoNjpbz9lXcV3ZXMou+viy69oXV9l13Ux7Laj
ZX0GNLUIk6ibTXLMf/gjH/OzxZNT4hw43LLuF9vyuuqAa6za9m1d9RF3mfhN
bphus/rD/T98BX/NjhC+hodxC0d7+ikb9/H7Br98sa+aZ0+i+fBHxeO2aarV
AP/bVcWXwKDrZtV2+7aDjYXLV3Xwl7Loq6G4n31jC8PU61Pgm/fwvb18ANtI
48L/dtXiy5++WPBI909xilk653X9LrNHC96SH06Ls/JtvTt0ZfzFd6cgUsr1
trqOP39+WnzXNnSW7tNHp8W6Kp5X66oG+o6/e3xaPAdeXu9g1nKLHp+9/B18
Af+VD5416+pdtX7yCEWG/FW+Onv1DG7ZYdlVfXvoVhWKlHPhlfg9XLjH3fV+
aB++fEbyiP913pX7i2v4TH52VfY73rj78KuHZ8/5rp4NcCrn1fimfl9f4lmd
DWWzLrs1LIb4NP/8H0NzeFd7mwBMh5nObecuLOsfNHeQ7IswgzMQSdG8z1RG
+ZktZGbPn/yAd2ro6uUB1q/0ReLsefvv9XZbAs1fVlu4J13xQzXgi7JzW+uv
Tnf8HE2uahY/nt0Dntzf+/MW2DMs8Z5M6AWQysvHF1U5nF1UMFJ02/G7gr4s
6NvsK1f4fY9fg+wAJnjaAinulYmcAesFIftN/Y60p3hP+LtCv8zzChvt6uoK
CHy3OzRwOe6Vw1Cu3vb3ZJCfNmEQviB/qa5flnVMPdE3/xmOA+j2Htzhe/HE
ZrPFYlGUcBm6cjXMZq8v6r5Aiqs3ovQCNxpAqemL4aKC/+/wCOYF70kBbLSv
/u1QNasKPlSNij6u11XHWnMBd6dYVv1Q7PElIOJxMDjpHajF8MVsKN9WDdyT
oS3K1ao9gDC/uqjwzbQmvICRel2UTifnoQ59FbT4U17Vrl4D053NgM117fqw
otW8/6x2//x59k/uz8Ty+xUcD8x5XW82IINhdmW3ugCiXg3A67fFHjYDVPOe
jId6t99WqI/grINdsdrW8FkPi4wnD/x5daDf4je6zNPiNWx2PI/2MKAyyecQ
dvqi3G6r5rzitx/ZJjyEsim31/8Ov71or9xybAGrsikuqu2+KNdrEBKwFe2u
KtoNvhM2OLzsVLbKlK8N/KWHgWGi35WX5Rls2R4+BS1/qJp0JitacMlL4T3i
/SlO1tUGFrnG3Xj/HlR5WvqXp1/iJEQ9/vnnu3MklqqTga5qGACHKiPrCfVL
uDQnR8YBI6lol0DeDRIeLnhogRR5s9o9PgQrvi7AWoLtuJBv+XRkxrRqerkb
oGBKxn/vwYaD18OSVOrSJuk/ZJb90WmCOYLX4dAbTc3plTyFeXbdc1rD6DVg
chWwJLuhtNXrCpSiNVMCaBd4lbvqHMTdFlcAU4HbCO/riqpcXRRw7O0VnhHQ
GzKcEhe3vGa6BK5WsD0EJPIDLF1uetlcFyBzY0KgSQALgDeUjlbg/4FRFd2h
aXDBLV4M5MZ4GVswsJo5LqG9wi+R6IFo3YWUN65b2OimHWAlcIDwaOAOBZEu
Uq9cbSI31KmE1zH14W5vqwW/kiz6n38G7Ql2oF9VTdnVLV8Ye0Gssb5/zx/A
QzjJTbWWrQKK6ejIcJ94K2BBG6Bn2Od6JaQc9qnA9yONMp3h45/3yQBFP8DY
pzy90iY4L054yLaBORKpBpYk9+8AJ99tr3EzE4azSZaE1473FG8c7FG/gvNn
9pCyTTj9b2DVDdk/0WpMUPWeoHlGcPLxK5GKi2dPX39TPHr8cnZCQgQ4H3Mt
ESZ3C5Dbxf6w3NagG6z5+M8PQN09sYnzztbDbAzo5KJpt+05qhAJH6uJj+7o
1r9tgM5xm96/F2sbzhL9Q49f3v/y/rwAkQ2DAs0ifwD7Ad/d4u/vPNzvcVF3
+FhnxOZ4Xd+AdFvTfBb9Hsi/xafQfIHZbetlV6Jew0soe7ocbr+QTa2RLYF5
yUsxgXoaTXIHAjUcCEwPr08lL2ZJgRIAZkuCBAnY5FbEkOmdfIgzf3WRAa+2
hzULLm+RgeSomW/KQNU72KGe3gtsBO5YU8FVWJ/mhO381p64eXFRn19s4f8H
lmaRVASmCxuGnAz39ZhQhPlclv0AGxDEIew+cPCLtifaHpMwqj+wmArYKPyv
iEoVzPWu3sIh0ruXoK9VqNmMdQLdXhgg8wLWmCanLRzME+2+q3fwWlgHS+K1
sbw5nMCq2g+y+wmXgp26pJvizi3W3uCgniP3tuuTUlNJfLODNayRie9oHx7h
TX0sN/WlUCmdaThh89QR6aKz6uefaWtvOLDq3Z4lKtDvpkVJIKeVzGwmp5Ru
FzwP+0tiGPd5c+hIuMEpgh6+gkO5RN556EcrPYc1NiwcbMKwPSjnStk72NdL
PGh8/T9l/yDdV8Xb6hqtSJjFnec/nr2+M+f/LX54QX9/9fT//fHZq6dP8O9n
3z78/nv7y0x+cfbtix+/fxL+Fp58/OL586c/POGH4dMi+mh25/nD/32HtYM7
L16+fvbih4ff38FFDdEm4UbD/i4rVrX2XYU7XvazSGgCKyy+/D3vB3oxgfcw
H/ry69/D31GL51eRAOJ/wmZfIzOpyo44Gmoj5b4eyi1frP4C2S4SK+7t66rb
1cStr2c3qeqmi8GEd7CzXiXDzYj1JDjXfQuLG38DEiP3MetQ+Dnf3vC3oiYn
8KaGr4sT+ezZExCYd8b6Hz4WKZT8gShqqFp10Sf2Wjoy1i9t7oUqzKCAhZtF
Z8DKozy2hN0GGuf3+Yfkp18xKT9rjBHg6Ye9dHo5CTu0+Nbx9vfzhITwOEj2
8SVF5keDPZjN7tBc7zyYoZMqfgyWzl/yi/D4wsrmfmm0snj+dx5NsQ5618PI
+mIxi6++BmscPkShv4YD2LblumJFlO0zXnhJGqwwpzlY4Yf+QM9cARcbmDME
4+e0eLjtW7KghnpX9amSUBZ3RMPcl+cR+4ejBj555+zlwzsjO2td98De+9QM
PCrl5qJXMu+U9YjCLk/x8kDjxqkCdV3WoI3jC0/xfHYtMHNTeuciB0Z82Rl+
J9+d3Y1/oNo8vcj9Ugxguo/urX8mVosz3Lf7A0nU66Bpmno7Jjij2eJOeMsd
3HPaf9p84Dg70AHLpu53qmyRGFm1a+J6skvMFaOVft7bLsmXkck+ko1AQokz
JMtpUakGMb0FjfgStTGw9N8ypeAr3HZty+b8gPSCrobBJsPKaIkEh5O9JsOW
pJo+wHPJnHCfLGRe9GRE9ByQBFrbLWFAsE8X6OtFcxTu2cu/PH5KV+pl18Kx
/KW6JuH+GDfw6TvcW5jjCf7qLl9RDGERNwpbT0FK0EAqlJgmdMXbFky2mAnj
EaFOcufJy/YlzSCwvScV2IjoySJFC6bFk8O/tHhnyAV4gg/KpDBWBnyk7v20
mFZYF0jcAiwQRb2CTZFLJAwfBRuwCDjOuu8PdHw40ccvXp3RRDle9aKrz2HH
Xyl7P7uAhcN037+noFyyR0ydQO5LsMVFk2OvV+sPDcgSTe9Fy4PvW6DXa3r5
GW/SYzKuB9O5YEfwJ/DWBcYO0rfClukWkIeF+EdwYJTsKFjhxSSmSCwMjWGK
+CFxyhVCEf5tja52ur7hrFB5mI6z51WnY39ms4cD332kb9q18DI0EOsGxBqx
a5Fa6mWalCfzhKe6axixNjZo0OyWOC+/nrdvi95Q0P/xdeaoypwVnBB7OKr9
tr3mi5ls2GW7vSSxFAmxyE0SjBh2W6gtk/eNwVVvgYvQ9lzQIYkQRHa0B2Kt
geqQ0tC7ioPE6Ql02UlXKobrfeVdWL8fedqYhK7awxY1oX871OiIKlZ0JWQn
Xr4ABRi/A8oTnX0L5hTr1jTJtlFvJMgksJqcPYufkZJSO2O/eIY7v4IlbpC9
RxO8n7oUlciHQ9dkXHrCJclNhZ5QsJ+2xWVdyqfl+U4daPryH199DyR0vUdD
HnWfC7Z92Wd1ZOlwY9qris5nIJsNJUSPH4CBse7KqyUxSOEA0RLnxXnV4O/Q
oieCwTdfHrb44bLesl0KE2pXNTmjjCTBKGp79J7J5HNrhwWdAgep4JLU8taf
8K3i4kLCRAdzX/fBWlR2jneLzsjmDz852MbEBwXvk6sHtu7DYJn6waaCDciF
lqhzHpr12FYjbQZ+3BDbEt8Kq51XaAeDNCrX4mVhMjrOtU+Qu98NzFsdbtMc
e3z377L2cdTudZcwsITMdaTtw+1BFxBQmScs1mxENo95Aik/eo7+9EthrJHl
AYRQgw1wC7agWyHOS5Yt3p8uatyyuigva3RNoQsA/SZ0DHJh4r1x7hO08OdF
xepiezi/0GCF/gQvz1CDzkcuwpV9kY813B9zLrwixIhYI2vasD3iPysklnxa
fMPOBHQmz8mUAhr5MBVJ6YROUpSjPndUdfOvPOfIHQX7CRMSrZZ2pd7QiWYG
YP9ohxRarecoCeCjQ3Po8cBQucHn6MqBfssOXTopuCN9K4Y9eXxE1YQ9QVrd
gq3Z4ICkG4kPKIr/3RSrqm9P8I7Q6KBwP0kXF75pauV0yI5F7vEoIzByWCS/
ApeNf2lR5YathAWiL5fOmgXrAhkSyX2QWHhXnmLgJPBEF63oidzNVQvK6xrY
w2aTtR2CHad2YHBfpXZFxDjTgCzZCBSWqLt+WKDUupYYiwQ8YofjDP+ggfOa
AsC4lOclMmzcWqcXvf9MIsQ/30KFQ8diZgyQQ6Ri9vV5Q84FON+u7t+S9n3E
J/qQQ9KXsK9t1wczhgVtDxte9PQG4tv/6wzYtugNeFBAxrUypx3GrZgd1luM
hp2TgzZcBn6q3LNIJWsL1DA4mGUNB9hd6wXNWI/B3l2hSv5ONZ2dbYXeTVTC
alApSU6bYzU9m897exnF2EpSJSUqzwrvXB6MXoBiEt9AdgwG4Gk+XbtVBUD1
ytGE2dbE58ne3FcdRkwoqks0yrGh8cpZ5tHsVuhN5Inh0qtSw/gTE+2HClUf
TPWyjbAwEPDdEA/mG8r8yEtaIhxcjiyCshWatYpG4jdlgYpJpUzthoXMR7Pi
z4U2RSJ4R8NJdXp+Oi+2LSjZkv00DzlaoIGCCoFsFq8k89YWabEflDWvugOo
bVuSEHhiQLS465f4llLYPizjsq1Z1zJypemdA+VQhAbGhQ1qt2vTaemN+225
Agn2pCU+1qrB0fN5C0EGOfhgNlsUZ2rjEEdx+7voMehDcwM2uT+gDcuJyqy8
lainCx+nXA/YpPUWvz40lC4N78CdhXd8j68kC6fjtanOiG46MfQPzeqiWpHL
5KLu1sLQzGCFUX6k03fJb4Vlv6ERnMuKY1lsroBLoMu1sBAhV9E12V9oLylh
p0A1EkJgheZC/nWjHe5dIqyX6/WjZaoYr3QmdEns1ULtzDZqCXBgIttXuOXr
ZfuONq8FUgIuDTKewpGdD1b5tJBu6M0eCFcASNRCJrG7K9W9SXqnqV0FJ29h
gDzOCCMF/UdMmx1gocwgLsR3gEEBr9QQzRjRsVg1i4CCv5QsoxZUh4nZKPhE
kiivCTekxohQifyTrhfs47nw+egEdhmJJekZnFyjxHk71yxuEgUxdZvh6Hv0
rSfvOsuwADjBLRBCWMxPP+Vmx1z0QqL9lKCx7+pLEGzkFOSP4R9wx3ZIEt63
gI/+9BN6srcwh2wkru3VT4mKIW4uJgZg2tAablGFDiDv2Sl2vFpOumHNTp1r
dKPaZiPpEabozZoK1W2Uq6wb13BecOPxO9huclEDHS7rRoLINJcKyJiYI3An
lN/9LIj5tXh6kQKCCGd9E53BkZqJalLYWCB2ShpQS4PXjBksSkrlUqyceBhS
rYl/oXbtTPsZ0BwxbuKtQnLEJOAz0fgKP/fohFAML3Xms+iVYI2gl7jphxIo
SrZFTBc+BuRdwbDhMAXdLJiEj/ezqVCIsIG3oV+DH1V6Jw0cidgdpr2EjxtN
AtT7rws4qrUkMTjXqvemz2Z/lXkco01ePq8IFX02NOEd6MYyGulTBQhI2Z5e
o01ckgzT+5FYcdPPDuUO0zLNh9JV5+QRDRyDjLgxB40sNrEprv0PFlv0TKBD
C/aGUivV2L7myOz1Xlx1orVtq6NaC5MCLBQzEeYx6+Mcpl17SUEF+J+uQ+uF
RdAW+C96lGAKOxDfG4kaqamOzO1Qb4cFvNK2uzjBoGdLFLGHqdFW3GVzEbj5
nlQ2IqhNVyLJ0cRFmp+ynVHv9qjNTXBcdHYeNx9Lcuegs3c4rGsJ5uGOLyjf
CabRIs3DLp4W3tuG+0na6afNIKQ4lk2c4Qhz+7cD2iKHpgbV051s/j2sp1/p
dPB3lvuIb1ofOlaq5DVIcWJS9OLSAC69bTsNjbF9lqFotrtYD55amad1yl+q
zanYbtK1Yk6SeOw0dgj6TYhggiJaXblkOua9QpasTBAnNcoHolPlwiQ12l2T
Yo8cAagZ2Dv2mEuH/BSdFAUc/+B8nqB44jZcVZ3dWZmNeofPMasQ37ysrlsk
Z0rtUdfYOzAXh04u3Pv3PjmaoguSfDtE9O3dpG6ibeN8H7KffDVYl1nrJEdZ
EFfo6+JgJ9ozwllz71APg06SDp9nGeswcT4VuXFvyIUmj4FY5Gf2wvefpfSA
idpH/miah1Aya0dDb97w0ZKYhpqYu2k4d4KSvHv82oWD+9upf4HSxtPhLDmk
LNC4YL7hm5P37/UfC8kDgLdtBvQ4UuLBtlxiTl018UxTXS3Y9373tAiJtqz6
NIed+HrYbmsW1buLEqwqEN/zAgaA+428EfM315ZgsTAv1AZYBJqTzLNl19lT
2rQ+9td2axLWs88++wwdwriMp7Zhr+lavMZlwdHnl6snLF/CZnKe8vTVkl2e
S0JbJMtY0egldUOekSvHlwj9JeI5CNnc8QQoKdkoPSSvgCTc92T2PhWCGjFR
+O4Fq7ai1pi7InYh7C0ZZOQnKE44wkIDLORrOGW0tisJogSdqdQ0d6cHSFRa
N4XMdExubjtTFcljva10mspYxJpD25s0D9T2KJ5enROzXVdoN8oIpPimoaRE
U42i5+zVhUUfROBx/jCe1bbeUJaMcWJ8gpWWcawgH0YoOsnCK07KKF8pikqG
uB+HhO7CvzZMcOtqkN8xX4Tj4X/a0ZzSCYBcXHGaAb1BFod3c/Tlgr+01xBn
Cl5ZqunE6UiSGL0b3TSYbsPnE+1glFLP2nzMcGiLhdVQ1h1lJx/ERAO5cODT
ZBaOAYiuv8GqFXH9YWZtxlplr1RkMiiB4pVUX2pdmSkgawuebvVw62qV77yE
VZCaOkxxnL39IuY6me0ruRCgXF+WlOJGZgWzf5bIR7mcjXSEvaO9iq5DPB7Q
A3bVuiZnB/sT2T9DJHXYyysjETR2kSb6fF8N+KzEm9VyJv+apNOx43LMleS9
UnCB6coHfAecb/0RbPI3R9jkb+AmDTDH6D1SOkMb6dghe01pUl9+sQACRMVL
MrBA17gst3dnRfGbX4/x4uAfyXrpUWK+4VlYPOIIoKOz5lNo93vyeWFWw04M
/8CpMQAADAHFoiOBDP/W26a62aoaXRliECPnV7klFwT6iEJk071a6bF3K/S2
JVMG+7HCfVErNLlj5RZD7EDth82mFqWTav7Q3cZmrdm9xg0daYTATn8Bu2ai
g+z+vESQ2GXES5NLgyaWKg9u5VEcnGLjPRiqoXhNinEsixIvDzoeT4tXedkk
bnRefC1nrf7e4DmKF3JKiauRRgtXEjgGB3vdiUaWGpgB+K6EjpKRj/gFKFeH
DaVJXsF1S4FzXVQ7UMxi8qaCp9W2tUo57wiB12d+7vaUTC6QnrytIengg9eq
Ljf68RJzLkXkU7Q7oZyKnFznXP0de4oPXD7HsbJLcRLLdYw3dyYC6uEKTP6+
Nt3i6btB7Hc87B/ACH7Nu+lElun3lLPCwl5lUnKlRueGh0kSBWQnF/L15GDy
vrl0C+nyy9VUd51JquQNA5UX0XQGykXdpK7U2CoXZysnW+eSj/KBwr/y12iO
8cgZxxUnQcCFuajXa0p2QJcS65QlRoXIktji7ZrIllH2xT8ih51Y0EpMQpDV
O5B3HOPnTNLjdadSfnnYDsoJMStU4lUlSOareVR6GbGak2MFqHd/aZMFZHFB
wliUBFcWO14ex8VVusp+i5AG4bBrmxoTCeXa0NeweT+++h6vOubLYVqx4bqA
vPUwL2znANVV3fhQqUCcgiSUME8hJsrpxChIPagjNZmvSyhMl6J5UXo+/Bo6
/XYFeq53pgoR6NnD2+eYWcM6MX+GR0KJRuwnnx85/lw+zsiMx8PD6tK6MndQ
TMNnTGn9gfQHOm+hYlyI6OVI0VxYk2jSyCV7ivKVhPAxSq8/JbIhVnVbOggJ
fSjTkMwoEbEfSlKPhL68KZsZ9NZm7dPbJLPhTdMKS9GWFsXDY3YwlTvUO9xT
yi0Cbleiz08Wm1OngPqA5fXytuCJpbWLqk+FeZKpawLTmIo6I4DZYzUhBWw0
fSvl1RqsZF4xVmSN1Ur6rpMIklCiS++CARsUZvN5RtyWrgXT97KyofUKZbbZ
0/OyWpW6405Q0dmOlIJRQUJiLE6lPVKQas37CfL2guZIyyp9EGlKDkzbhJYK
7ZfhLWHJLIwN4rjQU+4x5uRowTi70dc1+hmAQT5jiIa8KNRgmG2e+DT7aZdk
Pv9Ik1fIDXquLD7OZQKixQrLKIGGQzWgiVIQnRjb6GDora7Qh03VuhnnEIns
5teM9kHqr2SE0Sw4j/UYX2JPuWQAoseS8w7RAaun5vJyKA8ui1QhIWkxTjLU
AQopGSGR8A4WCesAWUMAZwY6lgapfRzIzph0soIej3WF5J49VMVwvLpgLWHZ
S1T1QgH8fztIrvjxmWgsZqDgO9ZnYgHrvqw7ToIlW74hbAN+kabkA1fYBoXS
ZvyKKgAo3YerzyyixVIc3fvXkxedqwh8gJ/CikILLWMBiihEqVtKQgWyKLX+
MKeJTpQHc8mGXAzPuWQYQlwAfysVXEDjG2Ffl207oFdtv5c4nOdkyMzg8kuC
FXJppG2yetgrRC9eID1QmmKxg3tV78ke4cS/pO4clR42IUtH1ZL+ZQbHy659
R4kxrzS9TQsVfmQ1RkpvIh8ZPjPpGJNcsNTTxEmvPokuBK2SAtaCL/j2ehSn
juKjudKWWAWzgrtniXNDDTzaoFBqEZsu3rMS1YIGlVcoJFwDNUVJBGpIB88V
L4IA8lEuqdjE5CGolcE79TPdqHSLesqUjvUc4RRZuWbj+Qfz+RLZa12Hukwv
MShJSDn10QyhX94SoYicK1goR5vEIamWGW6IRFdAuq3Jgspv/tR+p45TjDgB
76x39YqH9nkOg4WQjiRWcFpajpZhxqBl74g3Ecul116QkBhhB7WH4bz1NyuZ
KYHb6EmRDEIelp+h4dNQIBSZF+WDS2o6bfGBa5fcjgXblkO/0QxpMnL3MiPS
LeFSVDewUxNCnZPnNcJZkSYpT0PQV5AecCwyyCRZBpPkrSTIy2vWr998Owz7
F832+o2ZZnJJgWdwXIIy3fEQVlz84K0uo+WyQT67JEV5v+dUTnHVsTkyTthx
ApgTchP6GAlhzM3AuqdtqGPqs5qG1J62hDnDkTMfY3/sw/jvP4tSD3Ix9tns
7EBHujls4/iCBc+jnUhsWXbS469HsFlpvK7tTBENGuZF/a+UmjBBscf5flxM
ESUwUHEKHEVJkGRpjUmkkRNHvk6KKZaVlJ9JpJNzaiXXgpIOGNmKpOxTzKvh
cNYZW5Hq9DV3npvcosOw01iRt5C1JBjH+qKYL9PrEE3e5wGmzkygVN3RMp6i
VM8cdWSp5GImq5wwNwxKDIm+J/xCkmfqkQaRkMURzDQJzvgNLTWaFixm3AJe
Z84ha6VoKKAXBBJQYwZf3zalD685WZehTs4Jj2DVJDNH7g1HAa6NbVzZmef8
hDDDA2dDJacmtmY9kB0AjKLumAeRDSHJlDZ2/DDdg0v4K/lw0VUgkZVjhFRb
lv+hEbw19qDEY9P6yaxjgqX8WFVbQRJ1fOnJebEur3vTSsf35SGfd/a6lHhd
nm2OX5aRWHI2rTdo7ZSrWxwwY2EcUUHiGpZ9wBYQ9hkVT4ZMIq+EUvFJqBeK
ylCa65HOw15wElY81nj5N1yEaFJ6DyiC9utdBMyVdtQfzYDIuTcSLkeEexNX
ujVZT9jmUqvAyZi0EfMC2Bg5pYnr7uqGHCworpCqk+yLKjn40RLl5NFOODRa
RcL4f6mO77PHxNo+QiDpps9F70HC+fb165egfMCGAX9YV2gz8LZRMfpFVaIs
A+I5VHxLl+36Wg8tSSs3Wx7dLRxoxLUkEr+TIpKCKmMx0Yz8pmiivK0wqFxt
U7AZsdyofgajbDX5B1s8lNgMvyhJ9E4bcdkkGYTIduCpVABHtISLyYSQWBGM
xouInNa5RBHbdWRUU91nI5HeTDbaHut9eWvg9ZgoNwRvVqrMeBU4haT0aJQG
Dvrl6e81g4lUSJe/fHVEuWAO/gFBJg4Z+Olksw+d/tFzGMn7f3pLmFAStbkt
nGtfnUkpZaTGKqUD4FIqb8ij0IrdTNEytVTXAE2soBWF0mPma9+SQkoBqUgK
saKqiluaoSPi0vzDVEzc151VeMSURobM6qJtaVu8EvyxLpDXaaXLhLixIk0E
8ttbHbCxsuOMHucuI4D2zbZMyG0VNy7OkmohxbPNdZlcNGBBIfqM0RvGriOt
vuyvYZ936NfcknHJS5vaT9N66y7JXklklcaDR3ASwZeH9PFWJ6sJ+wxLPUjk
Bl0C202aH56Sd8hREQGhmOGMQRIBlTOiUhAt8t4Lo0jEQSG1GDPT0V4jUBdz
p6moF+ZFDlUXTSrHA04lDrDBawNrkgMZfMHAIxFt0kyBfy1VHOsZOdIB9LJi
IMpb+U7Gnh4HbfOmXIM8PpUfI7b5G5XgWDJWnx+6kIKKmByCrcFb2lWYJdAH
agNpY3LeNsi/7qpaRi8DuvfBOM9ffFqUjMQ+5WUV/AvyfdYBlXyIUWauOKV1
6PKYfAzWmAHLmMyCk/HhaA+V+8kv/ciyQ1xgLXG9/rCkhAqk+TUqF5jOtc1v
HC3Y19SNT5jYrKv/Kx56oOaX4ky/GSvAx3OwgkXr4POgDuUliE1SQUgiYoXS
+jYg8jFU9MZSxvDZjE2KMPOw49PFMjqoBPBDfXlwlhEUr5Y+m988rqyRUvAr
zuPZutOArbA6xPHYJ4/4owVcs8U3GuBCWN1vvrn7d5m6QgVst/0Yitz4TEga
iNUTMgsXzyk/Fn8hy7lp6jG8vFoBNlPcwImNjuPOsH8Zq4L1hbuz2SSkh6fE
kFwe0IUV4cMqro13llpRhB7BazYKbChL5dRE8a6KKzPyLivpcQXXULaPmK5R
wwnSAug88prFcrM5VpOT1OOE3gh0ev5uU5LTJ9EXakiUL3LsyBQs3tfE8cbB
wqTqGdkFtqsZPf1gNvsy/FiH6G9K7Oo5bXnDoK8GdK0tDKaqD0bIQrP74eW7
sqGiSIE85HswdqcqiWpwhnaZnduKO8HKxTyGSpDgugf58gmBUe3t+LRmvwsT
nWBEGS/JXP3/mhga9lWKK+L7vqwQ70JfYA/lQzcuK9JRHctTnCZn4/SWSJQg
8gimBWfJOJrTsFUmGwC2QKsY8PAPIQWQ0UZiDoBlpOisCbolUuk5KNiUas0n
i2yQzMV3xCt5Oi7xqAXDqNpTc4K6sRgFL1At5pH1oNZydg3kUfPlcS5LqBrF
5Sgm6AK1kwQyH+nbES9wL8HRsB59zVlWkRrtKt28Rx6pwhJ/g9eBzXaT9EIm
sDUeNa9p7RH/S80eMTXGWP7R6o6bavYmClH8Y6NKlJ/v3nUsaMRaVHyxB93g
wCK9nUPB5uHHLAdJY01Prji5dSryRK3hXZ+CHSglQWdDumGVku7hjUg6Iztf
zmkE0aPUn6YQJDnjJ7dOgIjOhjIgaI2xo0+y8jWsaCH/I8cRrDPTINlMYnOQ
2nVkTxUkainYLTTQyHijbeFR7EONSE1p2rPZf/zHfxRl2V9qU7L0z28TQf/b
0ce/jf81Mc7f8v/+W/SJ/9fkOHHyTxiHb5aMY3iM0+MUxVOBLIzmYx/yfCSV
9ug4v8S6PnyfJwayP/9y02f/ctMI6dqKk2/uhs9O/nJ3ajHTI8Cfy+gfN45w
m1ekm5fu5W3GyE31Q+cB/6/K9GasTN8wxsmTu7/UPD55P257rv8y+u9v9e+3
2fSTR/NnuOiTx/Tfp/TfP9N/v8P//u3k+7s3DXMZ/e+lm4T9/XI2G+/Ib22E
G3Yr2rjx6eBkH86/vXvjyflnYJyzodTOxN+ixvM3mcc/Z8ZRoZQbJzOf0d9u
ns8vtT8gTmbvHxSfberzxXIJQn3hDEhugfhPdwJuJ4pscfbcKX6eHVPeVYST
DnEScG5CcvNdatJEGZWSKCxuvJ63GoF9LyiFv4kNGzhAQaEZeYfRTUSqSg7U
P3KFI8ycsxBJa9uIxllL6gOhJKmQpsjRll0PxR16Xr+7Q0aBIurCNcFshk1m
DOpKdWjWYz0b03LQDKiHqCUY1bdSrh66FN7W+17tKqn/3RffKcZS0x5/3REj
nlHSqOyhvKzPzdWuOwMXnvPJsUxnmAQLNm2VfoAIrjPrGoUwvVEMyhGaKqXz
wpCyzP5jSFYK3GluuSphSg4aJsh2hUE+7fLuD1LeqWOhZUJhPz8ggs5dcgLX
VGGL7czTuz5kiB+tSiFEw2iuxZoTCyYHw4yyWhxoSAKiLa5gmmxAsKmJW8pT
wAwmbFMjMV98rxXk8byTXO1wLkkFlCTk+OOQr3q1h6gSXf0TISFWMonUvEUD
5G0oPtLh/3wXIV35Q1qqOsv5AIQcp6jJMKS19mVNYPd+ry8E/oZiHA4pZ8L6
fyY9BWGU5bVrf1aG2oV0hbCGuV6SDPFxr4TojWaQavPKbyNjhC4ufEZ+gjXf
9a3daGJvfA229Vv0ZSfIqmJJRXlVEYTlyCAmaAbgWe4m2FzxEfZaUMYnc7aI
MQqY+Khw8uTZXdfCMROqY642xdQ8ONx02VBxVTZsNAoUusvoyYZi6oHszX78
0xji2a6eBLboOn+nRZkhgdblivMgdAswSF43fGB/TnYBR4pLLyX7Vku0FIA7
vorBf8Awbr1/n52oTGweEo/dpU4TkOMHfPyhtl0BoXGg0FAccAJ7IUyI+Jk9
G10Of+OmRQxohmrcPtMuevzNE25LTN99Zg2eqYUk6R1q4GFeGTCnn/TY+p8D
6wvd77Skxn7Ft4ZyOAKISWiSiLOOcNjUmX98Oap8wMsTkLaosVNfuYlwY2DY
d9+hFKv6sCsSA/LVXbE/dAjgZlU4mECh6Vip1hGExxlm5ReP6KlneoHWNRaE
gka1BGK6K1pNpKmsSl+RObncqOhBuAQm0QRFo6Fmm1z3Q2lg6qXL3wxeh/Uo
8EpLkqbac0o81k2sSPO4idC0xa330tS9vMRjqWsmgooRvePsBXYrCq5fZtXD
dbRe2N1DqF8LLO7Qm3S2/eaCTtGi+qNq1Alxlsd3Oc0dLssq0+1L44Zeb/NF
hlG71oFC55gQ1mQ1TEKAoJNJvVw8F0S2rgXIkN8WV9UoeGzoLGEQ1C6bRShA
+LBG+lX0qtxjZIIblTyf2Rw2OVJUUQeWotJghMhZrzW4eAebyPoLRaioURdX
Kc5OGptmfLx93MkHrRidZlAAJGJBuOuadKQOf9mhWynbKoEeSdJYPdhB024t
DYQ4c9HGOVr4am3tg+1zMluOdZ2pfsQobVYDmigBisEcGRcMlCJaRo24As8i
AE9fwCFthkgFPfRDuwv8O3BjbpVLSdYUNBUcYIpRoLnE52aHmr2ZQIFVyG0f
6/18D57ynTTWmVlX6tY2MzSjCCfwvATOHvoWUvMApCMgE2vnKOFUr0ajO586
1upFEfJxSa3cV2hIrkpmLEp8pzA3rW9yC007kLoSutAGIe0LkJxuzUqsGpzJ
DceFp5tCSPoZfs3VRIzGRhcY2PCdaGnJQMpbZJPX1Z4zn3LSUlgKAgqPisf4
VeFNXM5r0A6xVU+Uu+M6Fa//57fUsSi/vCYleJnJaNWiYn2WFLCIns3mZVrX
M84O9TB7EcheOAAPsRRXFfAd+YYNR2eS1sOUBXpq5QE4MhwNo0m5oM1Is/WF
FE4Vk0LrBC1IZFa+piao6bnUWh8kw/FTBOCJIJ+aUoc+pMvFbd4NNSAGK9IS
U6WCsOGStqlaJVVhwmlR5nLcd0F0PEbOVqNBjb0M09fRfHdRbmNpFW3cybeN
7slcBAUDrFgKDM3rOzqUv5zizOUkyUOAU9JGZE6BsoiuvEGLaGsFBseroPxk
fEihNAEzh+lhK0MgIvGcmQSrA7+UfdXKctw5jVN68zQpP+Kih7hOWXCMjZrG
lR0hg1ljvE3AkcBo7xFkI3jPhlDM0X7grvCVOF8sb5K5U4LAmUsqkSwVUydF
41gKjoDyzl35rt4ddqMhU0yzSKW23HUclDpIqQmWVsTltH/ZS6zr4vqGmvtZ
EQkk664b+t5QUIybMAt87BeuZuUZqbpRmlTwdgV7MiQ0BTc2h4qxfeq6A115
UVfDZnExDPtl3S+6zeoP9//wFfwVfWYZj1jK9JwwUlhPJZXwW83+fZw5Q+1k
5dNiyBFG/Ib+PWd4ZG7iADcYP0OqPnOP6GjSAkKyMcJxWD9sGtxusU8QV+3W
tH1tXVYW59RkiktqYRsitLX44FEQUbl9KFgmvTggkVE1EWU7GXYTs1mW1bpA
c0CCHMa2OheM7ROQuoFJYWRekcg6Q7DQrp+92Xt3emDYb+2FvTR01vd3VWj1
7Dod9263taSnz225qEaSMEI776F7UbffwWYvcL4OPhpO8HE45DDc/oCMUQ8n
CZkQS8KqHHSgJvUiYCJ019w6rqWsYXFpaCU3WBEBNEKYM+wyEgNZikrl/mxw
DpycRdW23At5R67tI0QQa/KYa4n41F5PDXt/2apzIq6bWeX2BoXawSFmRXl3
mmvUVx4gXXz3USWT1weyjFXPUe+0SYPoRpNTxDZCcsjaADCgU2DUhSDFFVXy
hlpt8nF7WE65O1PaFIxwb4S56eAs4VrS1Q5VGZkk6rlJN3wNgXZQgpYpEQm7
zm0fUPYj316QQW65M6P3R4hLNC75HgWV5A2aOktdiVQ0YJOZkO5MzkZQ4p89
wYLQBs2UWES09Xol4sFhgoWCAWY3+aQ5q27Ad2ptQ/K2KBDB+6d4v8kvCTDA
wpt5GDyM1p08RL6LuHC0cQTQ/Qb+09TrN0Wc2arq/u9OvzyV3Nb37/m1Wped
cxMwtiIZzCjHYY6vRbVjl8Q3sX1opoBYp0H/M/K2IaZCVYIYgq5e77+OQwfs
D0FG/cwio9TYOTYfDTsmugkZTMtkDhqHSLPZMB/tGaxqbIu9NHifJ9YTGhuu
IRo73HKWx+Zy49j3CAKMXduI8Tck+c+Cw5Nk8Dvm4BJxTbXlQw1Gb0hAJ/M3
bBX3eonj8dSJlUwCdJ9dtWFi5B5lfA4kx3K7uGq77do3w1ZOa7m6FrriH7FT
rjRYJdwb4Lgn9Wl1GqbVZ7aMwWe43jGalYzR6yBl8fjJD2yfUgkFSXV5yE1L
RGZuGvJK3I1aO+GRXKT6rtBAp+Wyrfawxq58A9J8XCPGfkDfolvbgLKniwFw
kgQLIjmwmVquQNdmD0FBSOqxkj7jFfdaQ+UWFUiKfjQCNG8wMKMqDzwkV/LY
9i52knmAtTkSwhYnUUYSytbSSzQ9WleJBrB2KZmWRZ0XPpopYW8xlN8GzNW2
e3uaWFzGiSQuuCku6+oqmD0JDpaWcLGmME+wpJ1KoMvC3lRd2fRcSGzht1gU
S/y/rHcBccG6DD6O+r8Kg3mddxD/mcA8YkEmSMSvL6Twalk1IAiG0MPb1FHZ
WdQVPK7HkCmb0C5BzkrVe/r8x7PXR59C0We4bIRf5VIebkAOGHX3sjd+QMfh
afcXyEKr9GD/V+SWD9HlTK/txAoNBxgfR6qiBAuUoETU6ByszyMrkhkjMlyK
aRGmymdVDxcueORtEwxpjPVnCdcHE6cIXUGb0nVe6lWv66WcfAdcDHk7K7Xb
66A5igM+AItZXH3U/JFufwQHxD700L6GJJXjkIRP9tpTBCNl0Nzf0GFUb0CJ
K89pODZLaN7HngtwVDc8efbtix+/fxK/s9xVZzC9f+JOq7cdgrIM7AdokaFo
L97cezP+7Q8vXtPv6X1PqPnzG0wSANLGchAOV029Z4DNZNZYsqPHTUsNVey5
UL/TWKyVV/PUrqhIeqD8fASvmNMLRQjhLQ/VgW9++glTKBe4n4s3OmxUa5Xz
sVCXlWotl6b/+WcWpA9QrqD3LFIy0MAyOHNsiedd8URQklrDfi9q9HJ+Mbjk
OnO5sx57h3fqDmxMtXOVKygA7iCp9Hc4MQk7m2qiTNwgPFgCII1LHZjrBKV8
1a5RZrqU8EPAVnx3+urInZknBoczH/F0zhBDZLs3TFSpoOfpGy8BojivhonK
tFNzqkUV7h5HYV6sDxayt2uHMs7dJc1vgfsgIaU8fUTVFT4pZlmRh+WitMrx
/rDk5ufqosXcTV4p/VS/Toz3sI7WWGwo+JctSgBr8A4FwpuAsER3M5sOeAQ7
LmHclu+oxCY+QbhCSDl0EgF40ihBqEBiVE+qSympVc2FuufKCBY2leSjXQsM
WxQdCTVnZo5aFWpa2O917NjlS5x1sWjbV3Z4xC06sJYSm6OIVyTvDbMkSmtf
Q06jyyQucDfIeuOz5L/yjHLF7Zl7TIaot5Unf/mFPFRHtfgEwCHvmmyZR+EY
FuLkm6bHow4ePH+B5a4DtCiFViqq5oexh5CiJQKaOooXobTMIMFhDLAfavZZ
seUc0o4ioEK61m46VaR0Ccy122ScXUkh/GzhFvaRsOmbeowh9mLdUULNGflK
DS9D0xAJo4PwGFnJ2GFvmq7yuRE40iXiuOwIcnq3BykVJUlc0dHpQcXiRg84
sAWJLwcnVbUDlW5tCbCcGMi4/nlwFdUazR/qMl7LDJfgZ6UpjdptyII5mtSM
Lvcycm7BlaJYSkhumWyxfZLpsX1XrQNQMhFyeIHqhdbJoQV4jtDLL60jWZ/q
nn23EYXz0xLgDG7B6KTt0ngnGdtxT2OXr8ApV5GQ8VMKF742rqYRE+Tq9MIj
e3Dy+OwVBqSVgT9EB79iZuJ3RrwU0WREDk8cAevUp3671BbDeWWIBKqiHvtI
Xa426ZYhC7FUHk2zka5JPgch9AQgLc56ZFPTt4CAnqQi8LMs65IkdYKoYn9L
0lNCNQwiLTA9RXFVS+ahKpSz2WMJPMZX05ltY603qKOZtPORw/auhZJ8yfTn
fcRQSUxYQhcaK4gz39dD8NHNLZUG/evtwMwQ86pDiTSRT/SU4trKcRBbXGOA
FJsKb/xOMk9X3FemzWXlJmKtoaXE3CGWuPAFlgkQ/XBDrCiSCm9BnwveQnOs
jAfzOUcE/oxvn5tqLQ6K6vX3T377JZ/AICsks5bpCSxgeAqsXQKEDLmq/V1h
deZZ8nqWxsyKN6iv9w/u3SsNeAcIVtQ+/W4ZfTfn/Nywf7ZzUcNsUvHitRVv
/DgOCtYNxkerJco8Hv+rV5xrE4oHNFZ+8z96kF07jJ/ClqNBhOCQ3fDPv0na
JpRhByhjkUNazEu049mbeKnc9YsNQ8d6XIc0OXCY0Zt4B5Nq5r4aKbI6lsSN
bKcskNdH7+T4HNGm3yM16V3Lk9LfD/46cAjmvC/4WSvkPYPDUhi2zsfWOVmM
JQbBF5FryDM+36iTfiHe77QnQmCgHIcRaWUgQIyR1MeLCzzh0Gw13i4ePRet
ougxxjxjZCbKh2MFmx2FwrZxlgzKiGzjkU3E0rl0NvFkCOXR3JPqWpLyjZ78
/73sgevuLvl1hoKn3EjMNXWZ6grUiKAaAHMYUaKvU9AoA5q6MBV30OKiLoB3
Qk7Sj2G37OuQAZrbuei9TpuwxtaHPoAD4PfUkS2Aij8S4FwN6IsmnqQBHiel
XMeVoROfmjUWyxHICKXA6elRQxsLhpEFwYv3a9dY3XjXwEYvg1fEpUEuwRB4
K85hqc2QU4jxDBIQPUIkkUX5Cej0pePHrlyBjKi0dUbVRD+2pXCGv1u1efb6
qK8rPbAB+aDRNhdgyB9KFiEFo0Uc7UAzEs65dJeVQZI0SqK+/jLsKYc86K6G
C46ce13cwUks+nJTifGsUBJ3MlQprQOMJK0tErfPvowavGlUgK+ANRGTJhms
cNhIOU7BJpzll9YObG9DAXmDBysHtaxE5YSfoKeNVQArD2tc4DCI5LL489PX
thRCgkYbUoTGyxdnr92te30RQbHb7fOzjM4oFLhMxElWAqKHODfWo53NS6QK
aY9FYoh2h6WjhAHtHkeKR51/U6hwETfcnnpVlk2UFlwSWO6C2JlffKavpL+z
gRCaNuYx3LCCEIVoy5fX+7KPup7CXB1S38iBITZNuNjTdpcoui4XXmfGRHUq
4jiRdtbUO/eMsg6dhrtXKjA4J4evcxOASvO8Fo7ByWhOcEsCNN5dwj2C6kYg
CXVuyH+4+oJa6HHAVdYYDCO449KLj34nC6qtyhbtmq7ySdOpFUuhyYeoKKHu
F6M0BvzHdMtkP2VeBMQcLtyb59cLxgtYfEs/f1B8+QbTnDNVH0MrhtgNB986
rV4Ot7QonQLIemvJQcFO2vehQtaZ8+uWOJdRQ3Md6MG4f4fNILHiPKCwovaL
uxM0wx/JsTTUiw1b4vfW7QHXDHrrDrOyJRoxO0POAMbyRdNu23OqOCCVmApp
YcEYq+05mRExIIcFLP7xq7NvfL91BW4NbwvNQl7HJOnh6sSrswhRdETf00ot
78RTL7heCYOcXlbsJhu37bHtTdB/xWTIher4HUzh9jj1Z9mzM0Gdcs4Xxh00
e2y1iS5QIsYAmhC4mymjWLSylqLnCS6C71coP6k1N8D6g9WAywTkTfyVJOjY
ftgqMKbC6aTXfpNCTgqxD6/TC7wctppCqUV9C+GRBQXc07Y60RF7KGXsVH9O
NQjIrRL095RXIeVr8lWdJGRa+gDzQckv9Qb8hqoIhGIVNNJIVkvILILpurtJ
kYJkryN7BwtuAcugrnQBP9ll35l4kWVptlF9Wa5CFxpxDNTBlVBGgFJqlqmN
aFGDWwij22MIBjPDqIoUeM22EcPaKR5OyzdUP+eYtkR//2Zp1Uv6WMzoUqaf
ATkMt5oYTRl2EF+5l23lLGJfGnDcR8obLnyLPrE0J0VcZgvdDJv4TQQaLSAA
YJ/tyu0YJ96l6rJWbRfI53Q4QE7hbXZTEQCWnUtUzgYjduswJfplNCdMsOnF
yYV+j0bBtckdeyqU+ELxyUE2pHkrD0MxaN37DLWUknJqXpuidyuLQYOqs5ph
m1zoezClNFJoQnWIsFFSgy255LAJyK8MGJtUdPyEEps1D0ycciiHGNF8ooNU
7EHM5b4tqN9us7Lss4B5k1lDPBPbQqZK2LFnL5Hnw4McCNmRVsthfzI3o6dK
bEfaUBpz138eHCvcEmy/r9hvz8HsCEda8uXC21zUzPGo9t01uooMxz+JTYQe
hsKyVoOggNI3lo631M5f0exHVU9pGuQwjUcqMfmGe2GkumiqA1goQLO6erkJ
SZ8WUd7AaI3GPS1OUlmkue/kd8WLn6TvcRZE4TFHr9nyK8WdRB+d3i0e4gXm
vYidfuo1wLdR+7pqtx84r7Wp9wdrKyxYum0ugZTCZU1Nuwv0hdyjN8wj68Nn
URYsMuCmQazPa7MJKTW20lALrOAw1jNFObT33JNtp66TTFI7G2Uq+sVlVvdv
R3YI2dsKp54ekOboE/yQpK9TfwTXkIXWngG9DXqN4YmQXEXVDw1nLQATzxmH
nbbijBY/0jolT8zeQlbGKy8Hd2U1FMIwtGtJ4FfXv0jdXju8v7kH9+we4Uv3
9zi57A1MDUPH78DC7Fl1wlQjddnTbxflvvZOaX2UAa/W12iOrQoQ9bRNxnww
byn/6vf1+uc3dzmIIinvafbgnjwyfEB6Bm3M1ctBCpe0a+TaHxFvjgB4gjBP
S9bMlaogNngSMITrwSPWAki0RcAIKPuak3o09gvbfViZY+wSaLrtrIzQ5DKL
ZNkrImYzOlnTgPt7xFyuda0cxPY30nlhYaY7TDGQu8kOLDwFEENlvZUsYiX/
QXKOHEPGdW3J0GgFMEI21mFaxx2ZqvJteW5xgdDMWHMfBS0uSaA4ggnOBh+q
cDu6Cx4aeAIP2oHGTySpcgFPVDXnA2hgqbGxRwzYtbapmssaxImAxpTNtN7X
R52QEMldWh2tW+CzpW4LL9rlmUhaQKYzy9vqWhF5s9XE2oiFm/FQLptr0iw5
xK8vqBjvIRD9NRBuggAPAgXhhH1ShINxFoSt0J+RxMr79wON2WNlOKm2hn1j
rNo7CMRP1AcS4fecRe/xHTDHjeMuSkW2sKTkCbxr4ja+kAK0r78+PHt+N99P
fdTanK9gyE8dbYp4NDUx9cFs9pvbN2zO4RWPLNO0fyfHHc2Y87mzYc9oHqNu
SCdxy0VphxS/M9ewJtNFVM2HurmQTgh8L0Mm8PTVSAKoYG1T0re6XNW6U1c7
O9Q0QhoUGurIqOw66nqaEIHuFPft3pYrdK2go6nG4wmOdUqGJBPmoq40xFZ2
UeNjrkODYfFfcaYl1d7yvZo7I49VBSJ6UOYX8CHceJeuof7Cx5zMFLLEX3JH
Fyw2fnz28nec7HMcKJ9ipG9JqVJeaCVBl3huh5AsFrxd2T4MRI9yeOr210Q6
jtxI91pS+Km0TG2ndbs67IQmhBto6LbKgFj4N404KArXANnVBPAM3SWNJSRt
PwIuIJnxroDT1QAnDCAHMoKea6ITFKdIOuvU8QCMFossPzBlatRrkfRmuHbn
F5b7EkNakZq8t1QxlzfUtEDw14L5Q5ua2KTqlHbQPkspwVtXmGyIC6PTaou+
lXS+kSKgCo5eE6dXJ417McEyYSPG7p/LU+sR42dLT0znhM/Oo9RnThXJufci
NIOpakxijh/bGwD5+0d1BoAHPxWv3+VPcCJz7xgbFq6NxdO1wni01lXyln1C
pEnWuA0hORw5Th+VcSe3yXdukIhqaOCgCffY5EzijexwCrnTIVXtl2iAGPdN
7oGLYcog0RJa3J58wPz2SHUTKuTE5mjrF1f23WRQpMT2lbY/0oScpJrgxfIM
apFgLoN+K3X2Y3DYHK6dpE4QZKwlyforFscnxxNFpAhSlnU7U5WfJWQGS0Sz
7TgAu07oLVWsuOwy5iFOf5S5irZVd5G+dWPr7ky76U6u5E1tjKc6VSs7Ozvs
dmCuStPVUc8kESFxJ1SxKqTkg9JvysY1WGLLLoGrNddB0CqY4MmfylTt7JnU
sZ5QhvMWB2A1wjidCBLeRobJrVbfQ6AFLFLYS49IBRAKRQdmBWqCz7vrkGhA
SS3rdSLCl4duHTxqWSOwx9IUSi7VyutFeOfCOKRkODoDBXWMPvHMxl3IUm/h
bGbO+KVPV0rq4kZxl6iAQOJEIHNb1TO5mKfECsUKTcIfnSOf4sejxNjYmrHu
ld0G5btVOBj2kRVkkRnKXk8iPrBXUAmXAVxcwXUuuZhqt+2ccXbZyWcLQ+4i
gwGLySPDQOzRtN8Qb0oSiMNjo2aZ5IiI9MZQmBh/XsYw0LJxAioiHbMZOYV7
HU70rHN+6mG3nOyw9o9przbhRsHdYoHEbWeYc0/V496+7VkcJPbhpaoJiLwp
Bwk1vQlUsVWdKSPin050JqfHFjs7H52GI1hxoZ9fACujaIeVVPl45zgPnYDo
OU1Yq3t8PgTH6MTMx+P7uAhkNvbwjTRAMKcQLHjPmi5Lzalla2tZA0shqUKe
MsLgobIX5TOOm5I3aiC1hZOXm5tbGLuD8mL9E3uSfVQXMvUTRHoYd5FY5tAO
/zF9wYroAqoGK0DVOrFfoKGXiSLLmY8vmS8TT1Sz8e5HPeyxXXagP9/QSor4
pE7tH7K9BN9h+XlFhDGnkcCpe/P/owZjMT+lnRsmWoz9d4+xyfn8X95j7JO7
jPFPPrnP2EeOkf7kU5tv/fb2jcSOfX/bMaaUThrj5LvjvbVu0Y/stlP5Jbbk
pp98asuyW44x3bLslmPc1K+s+O9+ZbeYz6/frwzMsXG/sqkL9WE9zHw31CNR
xf88zcwmrYSjDc4+rm2ZQ8yP2+t4fYRyLI71N5v/Eg3Obt3SbFIb/Ng2Z8XN
bc6APifanE3N5j9z67PJHYzboU397B/RIm1qLr9M2zQ83l+8bZokjoUH/Elx
Lib6AhWFgIdH9mMlMfGloC5koUgnQQU82gZsavd+pdZg7OAO/bMi4+Ymq04O
/EhLsUkAUDt9BRJ9Frmmssifo8ZZ3xk0x0f3uprNnru26nYD4gi65dZOkjbH
30JbEERvDPyJzk4ScxkR7L9+gyld+vCPbDJ1CyFqIlnr+cbemphf5EJ8np3+
Ou2rFklrpY/rXxW1OIwIOibGXKSEYznqSX//Pm4BNwapyM/5Qzr7/ONnK4VC
vbaa+btP6u/QRWaKZ013ljFg6Y9pLZMy6a7619AlK9JUU1lFwLfcgO3oxIfW
OSERjzBuJHNMBQkBHlajBdxmVB5YRzhEW/hdcdj7ZSedbwKavvZD0ccD7EDS
zOO1ay+jnWAY6znm+bHnEyYW0UrAPnDVGLLa+VTXHLaBDi5VPpvt+uu1ZaFq
GE3Lv6EvC4HH/vKNWT62CwuadsTmPWuHDXjb4NEd9lQJM9mqZYouf7H2LR/W
ucWnYRRnBHg/m43SCEYpCIwDySdbhZLmuKIbNk8g9Mtc3ouWmqRMACtlrmpa
fLjlcQ8ivKLYsYJD3JwWGb17hPdwlcKNxRqyQ/GJgOMCWLNUBG6vF/S6JDsn
owazooAUcpwHM4UBQyekNdkwbTAo3gaVNqkXATXF4uG9Z3cpdwWTKPc3WY1U
A78iVP8NBTkwQoiwLqqNx1uNIFk+dBjNEwzCGnE+S663D7WAmNyxdgwrYgEr
wkQ5d7XA5XFuT1KB8j34rZSUxJZU3b+VzaKtr1ixRNm4w4KUCtuIiFSinswJ
N9pU5SDtc0APwCqvONfWZMC4xPq4ZHUwwdLdMfRQ0BH+H0V9omsrT0x2Tgug
GGOGyhNG6iS86sHdPJMIeVhv1yZPCqZbYW7pe6jNDowZn9xR8IfcG4/7B9RW
LM2UCq+ivNkwh6sE/ub9e1B6/vj1F18zdLjKoOi0yQbz+dhJftEHNLOKfBCY
vBc1hNQuN7fQQtKmVxlXxUjTIgWHapmTNG+P401OEcltSArUyz7Yo1zzleAS
jvq7BHfLBzR2ibalvHlT4rYHgqk83TbG94zg1m1jmENqJnNE6873Cwmp0sfb
hYg/+oPbhkTpfzcA79+mecikT+IXbijiE8WHT+wsMjXnTLeRj2g1MjH637v9
iKj4bgdVa8F5C/iLQ0JGpGoa7gKd85GR55NJOdEI9SQtsiBHhKVg0jEGXwSO
rH06rDlAUJgJYYMKFCnVJwJowzzAQxOsgV+wRYY56Y+3yDiSheUMnU9onTH1
ghvbaWSaYhwd679Eo4zdVKOMqaX9p2yeYfLxWKOLDxaCR5qcfTAo9O6XAoU+
omF8BFD0d9hDhKEQbpbXvwhC9GyWbDLuys9Y9cbHRMzrUGqxgpbXSSkJn7m2
94pQegIG9ZlofFSvwmc+sSQVax5qTcDxuTQ+dQgiyohh8rlSmsQOFG2UAjCJ
2ZgUcDNzCGXcx67eVFPkUIHTT9VuH/eRcTUAVlBPwKlLg5PRm53QuaGO2mTJ
/22l0r9iQfRHJ4TSnfB0+dHVd/mhfrlCbbyco73gCudbVGrfWIWUq0D6oALv
px4qJc26P87Qa0vs4HpR9F3VmqqSKWe5ISCZVH+P5qOYCTFIqM9oXXrM9nF6
zt+71HRinZ9O+XF45dNIfzTWL1OLOsmoP7I+NethOkqev06ZalIx8F+kXHXS
3P6vU8L6K9WwPjpWl3dM55rg2n+f8lTTwUwleCIqAYa/uKXRqFxO6uusvCPR
7CJ6x9lmFI5iBIlhJYMcqtHKpLb3+xhDKUjnEK5FkjAOV4jMZqGH4K1OwpeI
hqAeeQ6Qt7leSXy3XMckxzsk68n3AU7VYcFARkoJfaTG0Tl3LT4oJQk1QPpK
JgjmhJXIeS9gKGzN9p8yJA9ZpgMTGVVjPaoE2FBRlv2NT+qCBOZWcD3gvEFh
jtBUxrJ2LtHJSJPkaiHM39nViARGdz5gvabGYl8JFmcEuR/tIbqjQ5jIpYQR
3N6QdSZ8JvWyZ4yJ9NhhImkqA/8gA5oUh5oEEXbo6ku87erzirMrbrCHzO26
raQnovHILHctRr3YM34TQ+9Piith53OJbaGCOAQv1Cp68rJ9yaGKP/0eCzsl
Lqn1jj0MPwjAYlJZykIVhDu14qSOVupSISdiwAwyGDrBPFXrl8X4j8yeaSKE
k0uIJfbwbQBnTm9ZlX/knD60Np+PgFyuo6eCALdSUSqGd8EHeqZ6Vyvua/7G
bwjq/7i6CVorM3RWRNRX48FfSwdCfQRtYDZ7OK1JMJ5nZV1NnC5HHIbdhJE+
gYkAC2DfVp02gm6lNLNQuehUhaQJwbi8LSlUZLaTMXpRQRh3h8vUFZOM0LDU
cU9vXCtQD5Ol6mh0Iy62NI0iD4ZUgaJ6SmdzzMEH15FcKlqWH5CgTwsqMbxy
6d3Uyq+n7pXXIBR3eoe5d6TBCFnJrKhFMZFqyPwYwS2jBktcOWwL4gJ6bYIj
EiM4mEX1C37HFlngQmhysqRe/vyylfWKKxtc4JqMZHGxI/iEqY4xMm6PoPlr
lptkNByLiMfNzevmst1eMvwTLzEtwP+YQux4KYLHcawCOzbRcZNGBl4g6qrs
tjX7UkRfDhgcdym0h4zFQL9t3iksXCaAriX3kc12w3Z6HNnzWiN7uzG3Cljr
Dol1ion9WmW1428+sJ52/M0HFtLKAFY/e0Plq5bHjmcQvvnA0tnbL+EDNvF4
5Z+vOBx/PnUE0WSniuduqDn828kjrPbDYqTk8yf0+dPjdaCf+PJPeTipi0w/
/7QyyYniSKyfy844+eWtSyJzxZCfVgj5aeWPx4oeER9+jQ0hK619nJK64i/2
hY/TdY+aO3LbesaZkx0fU8+oM4m6Zx93Szv1A9SXwxK+m6nsZiPEgFuw1Q4p
6eOCMRRdrupBVc8jWWI5IZ634vAWL681DK5+uluVE85uLieMlCZ1zI4rQ7l7
gZ0N1uZwBev7999Uw+oCfcSE/E7RVd8NKzLGXSEQl0ha3V7e7eZq+XLFWL3Q
QmIYoxMC9mk2clB4f2liGpeKeUPR+9BWSYwf17fB7UE/T1MZEt+MzzE/UkZ2
VTZcBib7l2xd2mJkJk1eYoCjzC8tIWF8oLeoF+I5gLCYsWrkKl+S93zuqgtB
rJzeULT2aOpCaoo4+oPpKmroFTW+Sfwoba8xdS/EnrzeV9FpzaLSkmhIyY/B
msiQPN1Hfk5vEc3GyUxiV5x+WNpQ5jJ+1G4lXaGJHXQtrPAvFScJ0Nufyt2b
nZBfnDw3X//hd3+gfsnGOMgudKhDqftolGhhefQ0C029xZ8JSvyMXrfRPosy
abnfSRW0OesDfrSLkoz5BcFJw15iL49qTYSrLGadc39xoxpnxAjrX16LW1X4
7Sy3RG3eJqUhVCfMDhYREdZ4RdoI8kT62fTkB03uIVHsq+Sktanrqf3hmTkx
fUmOzhH6ohNUQ3+qy3Ddhc4bP756JsUJnDE5w7wZdGn1F9IUCHtXs7FDsVGK
bqyS/t/ZvZY0cfQkGv1waIj2GobRzm3SaIz8EAy8LB3FtNKAtZk3lE/1Bn2O
sOEDv4KrRaXNKFEIDFyPK6C1/Z5gH0bJu/MAihhPht4d5/m+aVqgDz+JcXoc
P/IzZmJTkGfMCCVZLkGhdJGAvtpK0X+2Q7ztzIRWMVHIN0lZ3fAzd/hOvP2a
RzMO0da+xzGmBwBX65TFuAbL/gxclwpST1L/c8aRgjUV7O3ALhNVYvDPYBbn
lOLXsfdVfpQEvxgVzftFMFs1uBdmGCuum0PlquM47juOS4snIi3z6yPfgrpt
qDBpxhjd9C5x506omQ+zXBnnKonoWn0MB0XBCfSQ94cqF7n25zibajvfMEqi
XnDN391woHtBjcAsIKa9okLkKQrVJnNAd6yERjNAuHAQndZMMwHwhQhevTRM
GTk0y0569UT5DRSn24cqOfHFllYxT29iheHUu2v6aZmIpIHZ00QWLfOvR49f
ZvWN0Svrxi9ulp018qrkk5IcbXCu69FJpsipzxqOwKwO2xIRV3NLII7NzWQ4
gxUkDRcFRG/F+4nBPzzOF6/ofzJBsnSqR4t/T+9H7C6ZBpYGlZkixyZ9CcyG
CzxD919/KZHS8DYsOfQhGbwYTSIS2lEaKBIFjI5CZ0/SoD8wc+XNSBY254li
wRRpNizK0zpM5AHxVJbVdTvxY22xPirezC+IOvGCfgBcg0Ux7YCY07iQ2ffa
8Q0HQEc8w5H6gWwOmoNxqzkpwHCZ54FwjXm3ea/rhiJ8NVW3sQyRLlFEdw85
89q6CPVJV7N5OIomjfRgK9sSE/S+/AILHg9DpXC+KVsOP/1jAYy3o1ynDUoF
/6hfcvQqKx/uR5iYLKiyGUrnVa7eG978ekoj4uK7PvPU8dWOCc39/GteMf30
K3uUpsHeEpJs2NFiqLe6PwX2qQ7ectsVP2vcQ6mYJA+AKxuO4gPcRo4bw2Xr
BUs6CXmz6hIO8ANbyGf9Rlcc1+Pepx12UtHCgmbSnZLgJquT/vM+zTfHHJJQ
cOqvmiR9TMljqY3c1s3b7K3KprKN5+CyS24ounrSUsZCAv3NdaZ8vbbtOUXK
535JIkJu0A1i+0GTmRqp4KZcjreakEbZioJMoR670yK/S88f/m/i8KEw2tpn
5uQgzbakQJDtJ9uCxvY2I/U0mjqaLaUk/0sFUmRjc3Dy5oIh8Zc+jKnl/Wc8
zE8xFf2snRKOBByxVJJ9L2ozCtRWAOEFCbNgCplZII5Dy4dmw7W6BERRC7w2
Ug3RDxa59rkWukc2ihKDTHX3FXKJU8LhgYPeOu3PwXYRPJPg32BnMb1BHFf8
hpKLelkIYKBwAN3hwO2tZztQ++v9lm9Lr+FokTYD6fk0SpTYKJtA5TKwKzO6
EFSN1hCCtli8q3Z/TRRF0Aas4l8QvfAApwV1aUV2N8Ost7ZRX3bb83JSDeer
09+Fjfjjl3+iBP+IgUZ+Fa6+Zns438wt7Z8Vqe2W1BHNmusQ2X/VXZLbW0xn
VkVm6tfg9tsBxUiSdcotthRX10nIN3kj1F6vnaU7aaFwyTZlYVjv+CwF8Nxn
0mkdL/TZy4exE4yO2btkWBmK/fzaZoRbwGoSDY5ZUjOJ1gK0/MTnAQLptPgr
G2czZ1xop9555OBiQj4s/5WoqDUf0U66BtAZn/Scxyn75b8De4ZcJneD/4dH
eOZ/FVhL/DC1Ss7R3ZdfmF7N928+lh1Cer7yH7aF2zdGRxjw6w9Du9MTm6kB
e+Bi8KavuLzIlYbN0T2Gux+0gtwMKMOytx7MhkQVnU+SioRJDFlC0/ZUkf9K
+o5v6nd0LZi/LPt2C2xlhp08z+hXc/WLqc4sdisoGesVok6uW6z6xFQ2/YTa
ZlKRrn0Eu9VxT1JKDtaa3fmMLiFovisshR04ibKrzjFFlUJVMqEiTIhE5LIS
IhZvW3bZZT8zop7YQPUH7Q8d5v/itwSsIeAEJA855uVO2UgiDWOZesY6hioV
UTlnwiZmZLUIOyFTTDvZhtzMjM72Sg/y/Wc4hZ9QRP6kpwt34LHnDbqf5GvV
IvqYFI6qUnMLPFD+G5+WO6R4qDpD1boDk6xQ5ilMsEkpopx63eyoJZ34DcVj
i3nakqrCDl/19Q5lB8ZJ3jmrxTKzzyJVCIZ/1iw0Av7YF1oX31C72fef1c1P
Ip9+iiqxf3LFuc9ubI/KfdZ3nFStSUnByUtKPFfAgy7arLEN9BUYmVgFoXmr
QJHt/rAnhrRB4TRX8BK+dTFi6r6rd2GUU+lF27O90E9EnMFY2a77UESyyQw1
p3ugIQPCdi0v2xr5xrmZAZyVh/bLAZPFYbLyEnq7VHmQ6SxVfOOpmGmUsynJ
WdRctm+ZbIK6Te/SfttqRFGSe6Nu37igvhhCe0wquqUVt/3wHLszw4oohlye
vj0t0Wn312rJX8A+YwDKncDQ7hdbIMltOAtyV71uQ2ujSImjvofigiOFSEhy
x2+GVSxbuddiA2JjDQYFcKFO+4xTG93U6VouDRl27Ry9USK9lVGkCtFoH/R2
/gm0wPt8YZMdoWJid4n/GPv+rQggEwAI0Iy9u6CTB8ekFGCvqAxLdRrWzo7Z
A8fjgVZqTKGHtQ8kWfljn0S4XvAxWIXlZECr7XqXjxJngdyQzUAtLpp10GCO
pHBM993JFaVY7owWYEet1oPp5LEp5qooWk6hM7QljLo2/aUWjI4j6BbTXqSJ
tUj0FrfEGqozmsYFXEs8zpOou5PPAhGwjVHejuQ3sLNTx4wmHXrdh8JYEZwV
Fhe2Hagg+JTl9IdocEyTUfchnyzE0VW57DkcT1k/FU/EeRcYF8Qd2HNXXalO
4GKgZN1hfU7HFYfmtD6B39AbYqw5qv3gajDTleJ0mvnkPsQBMwlAT0XPXbZN
UkRXT8NeZVlPAA7INQZSyYuZvehrvga2OZTYNA2Ul++BP3939uIHyq/DhIUz
sselz70dKSk+nQwIGktrHmCUsdztiv1yjFcOlybMSq9imCaa+BSAWWo6zK3g
hq1ynkN1GdtJdylTwCO5EXjH6dTbJp2WdrOL6lyiLnyE1euQP3BcU9WZf2Pd
3VDFpBtl5mimmyCUYiEcyzyzU1QQdtrQ3ljPZQJO6G8uswtBJNq1ay49k3aT
6qh0UIfjwhXmW5w+uKPu2ISER1SFoy/6clNJrbXyDtKjdoQDxKiVmNpFC3Y/
GV0XYnXqmlc0unXw19NaLMlJeWAEOChclH8hiFFJeywP6zLCRTgll1HTNovp
pQWdNfi8KQdldejBFrNPeYIxJD97x2kvGdLa1iVUoT4h7BBNkVzpzOefJ1On
1xgW8LVDuS0iA4/1DKJ53lNCBiHrTSvfqvAK27FTD4bgyndyl+nzcCNi6lOT
wNL3rKNWfH5k4oc5EHRP0HQljDF6ZLzi0+JJSFux8Y5wAQJMofaYIVnIlEOV
/VgOtuZxGRnVvfHI2FqyRPUzeiTIVGO0LGGgz558CPdalWaBY3t4ulfCFNbZ
HcA1MDZyjlA4hsM+dgs68nAaFg8HrD63rfAleMvC2b38XP/foCv/eUBX/qEN
zj8ZkwV53q6lu4Pww7jRyW5ppl6ZzLWK5opxVtWmLEc+HiipUyLOoArjjd4n
FtoMiezuWAKbaVlgG+8WEWg/tpWFgtQhbdADAu8gos2VX2eaeoIpsO5DLiQX
pWIUH/aq3SpC86iuSlaeq9fiCMC4aus2tVmnvy6yzt+hN3gOmWf8W4fO81FA
D5GTIi7Fu7Fk/9cHgHCqZEM+2o2cpb1DaolRMd3U79gPj0lGjJyr/aI5jLgl
t0ZEZ+JH45QIjvcnZHYDCAUl91uJp1CmJt1PtADg3Dun9o4hGKhjFSW23VCh
eFr82FCbJc6b5M6feIA6aIk7HuT/b75vseBa5v8b9jKdabWCABWVfS3ufX47
3bRADg4jlpIkyR6QS76eenFZ/AbNub+2Hey7vJf/gf7nMaZFkLBHN0o5ZN0h
pvC6WrQbdGx5JAyqRTf00JQ7Kt5UAGcO04xnyemRgZVlWiSIIjc69nyragHd
8Q6nUS05e+bHSfDa9DX4HWPxfyzP1AjbEjcJ0kM7O4x2WS7yiKH3Rzm6K5ua
7K0cgAQy92+ivTHzwJzg/wDQjlxxm0ZpqbDGSidGmBaonnZlI0KfliHJyuO7
Kl+MU2YymZBOUVCI8tRIl5DBJVLg2+qaE+ZwtPq84YlSWI/ARriTe+rBKE5K
si9FTyFW//794+56P7R/qa5flnXHOAEC48Lk9f794hnM9121fvKIisNGadUH
h7vhcc6McIPUDYb3/zo7C/RQvdvUW8K6HOV5G2bq6PBjrZO2/Lh6maoF0cR/
KYL9EIiuLCV7VC2GMkH3FKYBt911oimRm0GR9HIXhixdpJY9HC4LR2GYEoyK
+17t2NDQwxBRPUGtvvBqx90FDbLez3Ihr0KCxKlQncUWk4yH1FvqyDjc51fq
bIKhH1pFPT4YR025LJwV+IyD+Hagarimkw88sSRD0Nlsrsd9WquXtbOJzFxL
iri0tSICKK1sg+j4SE9wDQcGJzTG749OYEVJUj1CQ9CPjhtCcfa/QqiK2A9a
GgUVjTFQoHVnIlm84ipgGjgKwY3AzHg0+umk4MLxqfScBnML7ZBcrgahIslN
QH+CTU6gOEE1oDISYokOGJYgu632dHrDqJxhKhmG5shuCqR4f8bI5im0ishi
pqSPEVY48G9ELW6JDCly40XLdLsC7YV9zezpQtyvUMGQ8YGwE1JyrjPMZluC
6ShNOQKkIIfYOYyu0WxyFsNHC2Y6Ei9P4goRglAsiENkTOGey+KiXq8r3TIX
+abwWNsOyKCiRlZJTpz0iO3Fx0QeLaxS4A2LK0ukfEUHQ1du1dVodt1MDggv
rOGuKOnJ+DjuWEWhj8nGd9M5HKOcLWwFGzpeUeEbBz0s9gS0vGmlEmQSMUz0
zWRbaBVAVRdlhwepVZQjI8rTww16nOcbA8ddcpvf53YfBY3koXNmcli07PJI
QxmvKRj/d/RoNrAP54fqTuxYqRkyHGPWTmlQSBkw+9YMfUWeUYm39JRVGIDy
2CedYsKXLsP8CrsqWqGnlnXJDmcgyWC76O/1v+sdvQGxKAqHJoWMJNWBOUi/
ZPXd4gZZ9wg7m2DF103EPw7dplzlzfjXnolI1JQhw8TXwG4M54TiOXBT2lbd
agINtZDGRutE0wn94SbDdeILTn0gOB+PtUWp4aj7UjZblHGErcdqEmLx55T1
MCrNZi28kDzMLTnjOXH8CUY+D2hocSeTJxVwe07j92A/irPRz/7pA/9orts4
OcOgx/wXlNFTESJUygcN8RYLRCiUt4aZrqmeBJGOVKEgD/ncFUUCQ9la0cl5
hb6lLWugBDdCiuKGftZFRTwmf5N77PIG48I4GVs8IPtB6/CRRtcHIG+CdLiq
EFxK0tK1Hjm4RNHOxyn9GfScPaks7WbgZuHShi7WJdje5+geJWOKUMVnqLFY
fyEtp3ZVyJ5DNrbiYg3RMXwl4mmKSmZeEFaAHGpbFjbbgBO142JK1ZywpXue
YxFxbefEbBTWkyxSe7WjhlLoAbaJozCFpHJcgkJEuMO3DcBoKyx2SOPVkaDE
E8qvVVf+4hGtIarCPMEdkAJtXBso75+JycjJuQtYbH8TUFzuD3Lgls96rrHl
UVHEDu4IJYdg8TI1pSGcxlAczhtObp/9tlyZ+KA0aGxVJvU8DKa8Y8FmoImi
omkoQo4UuHPZNVYAEHdIeP7/PY7zMJhYGpBCEvbvc7JDe7ox5+DE4mjchy+f
cfGoNVdLsLHVzpbi95UUv6OSsNkgLFAo63PKGpmuQLlS3iTeNVZDYxZFR6Dh
1Nh1EF0Tit1hJmG75+00LcRPkiMkcFvOkfWxwc8Wou9eYruiCVQOAVQ5hyYH
oflm6YwSZR8BKo88xar2omdTvetZOGHudH6suVpGDT5IckWufUzAqxMHAL9H
Gs4gcX9gJxm1bTBSQA2oBjbBqDqY9ruvqh0VnS3azYKvg2KpKDSrBvfhsIGz
EqYLjSJGII+DmpSYWpxUx2U+ghZhVegYMKioVsvX9wumD2gdNbeg0mKhC2md
qYw+aqrF+cfCU1w/LNxfrGQp63UUMKG4loRNkKsRUnrdRFyBlEd6STy6J2eu
iOWwBjm8NwgDK74HDWsdGI3LWndviuv2ALKwozPYEtZBudayUHmLeFcY/JNL
XFQ8SEo+Wvt4SHMK/ZhLTJ4nHbv5fHCp69dx9b2tA549hWU84p6r2qmBYJB0
c5CWYWHco2xbLztKABRcGTjBC4VruOo40rbEnI23lctpu+A2ROeSo4TRNTgg
0Bnqf6dBW039pZqxBWiyw7ilkLxybs2AAmOea94wZ7OJoaCUzeFaP1Px/QOV
aQlbygBwSiuc6JnBJlMyegIdqhzJT5VOgxmq6zlnsJOKWR343JFsXjbgMGdI
Lg6mTyoxmjvCMgAl1GpkzfsiuVBHsGAcWQN5qErhzF9qCHg6leHxZNwYwF0m
tQBzfUZq6YCUdAo5mirx4NMSDHLWqQ9DbVFOjCbhlKIHH9K0ZTbjc362Y7AU
w5yq5YOfGGYqr+Vc+I5uNoQD1IqTgEN6euKemKEfqj+GVzJZuM+MbJa61hRt
jMRwgaGqptreNaiUPJSeoc1hX/KQlIFox76LzMwwabjEPtgTG7DYKC7kr60v
vJk72CjnJKEKOFgp4SoULfGRQ8NXmCLjAlklXS0r7NqdxAvF6TSB54+/zp2P
+m6CFVNGRkHU+goEVpuL33jtiDaMu4hMHqUVqDKcTIKEn6+D4vNkfsHwZfjs
LH6WrmrcIsFyZU+LOKoXlYHeDh3O3o1z10dyuzoBIaz86duaEAhX5KGezfSf
IcUuN6ZlAVJ/MhV9x+vrCYlo5gLyK+kETi0oym5Zg4zravKRlaypgsyq9yHy
EggaE5Fbbbw0+/HV9wEtGtSpcwUyl2IkVNrFPESNy6e7g261VryunXjFonMM
J4hv4VTAmn1g1qh7abp86jEm4IkZ5WbiE1cod/a0vNos2n5ym2eKhE+dOoI1
HVxx6zrSXOhFqmwksI1YNeTzXeH8n0eWdU+2FVdLXVTWb5kJ4porfyIX7x39
yYX8BI5s1pSX0g7wDsMOffv6+ffk82X7LeTfxx2lwSS0FNNS2gz7gtOZFZwq
B7ndqcfnYUne4SRmHvTPzKGDZNSLCU5DRtRMjYxRKZCqU/U/7Kqy6fM+ixiy
oWxmH9CHlG4d8WXEk1NYryHUt0WRvFkg5mzlhJJ0VNF7017OUBl8a9HMDH0w
Q4yI0DeUD3iqvEl01fZ735dRWGflMvmm6hMoxBLybVjLm1S6XqduZ1ViItvQ
o2GO8d5vULRms8XxHNTJZAB4cCID9WiGADx26/zTbPgN33tb5XCsG1KR/qeo
hrxlNyYsjnMVs0/FqYrjLEV4aKSJ5hVRzc2WpsKSEG0B81g5hV0g9SrJKTrm
JeQgClnYYqAaEXrTW7yowRC1Emd8fiOT04uGr16LXz6IxpxUOS2ek4U7saos
AC1hoBjWhySv+CLtBO1MgtbEmvrDZoPgN3jvc71ipWzGKKRXKFB9PQstybCf
RbsQALlCi7grct9I0E2w647oR4p6+1x1Dbd7r3yV+pH+EtxrbVpTLKSfXsVu
ICwce8bBBURX9ektxNEpXGfJGIS1FSWSTLyEC6wsxy5Sx89Em99V8Oia27lV
naH7uWxvcph5Mc+ZiQmgn+6av3XF91X5tghubhUNcEXctknMObS0ymtbIjqB
A4l2cUo8PC3wjcyDhEg7xKcCuuDEM7axOc4RkJVmiLbUu1pClmF1s1bvhC8h
jnB5VuXqQrMrtSroB8H3s/QOjAF608T2WY6ajARQ8Q4rrTnXEo11uQPZiwmh
kQZDOkeksXFA+rpZmaqn+hjhtrQHcausKqmTdmBD64o+TwxBDgaT+zoJmPr4
ZtRb1rWqAr1MQ0N10uTHZbqmNvjvEhYydS3ZduhzNBWpkOecudNQUU/PDxFs
f6QUa0Nz6TA3I8Vk7m6SFYkFemQUEwkLiKJAYKcezBmIkUr7Zpacgs5R0BQp
Ua2pBvQxaBpNwopff39WbMtrATgImSWyx9QKbIaASWUPZpuLzcWBxgCOMbei
iZLt4iN66SA9LoFGQFsP6dXCLUChbmRX0acvhhzSDJcTJ7kWJAAC86IcEkwl
Op/JWvdM43i1A9xtSN+WF2gqo3vIYGwpmFIT3x8j9M2keJ5rwLhxRLemug8s
7gxA4XGAoyl3URKFTyqaicG6bdu3qt6+kXyhrdT1vuHUJZEOWG2SeorEWpDA
I9y+DRDCbFza5/ez993TA84JYeuva7i+WFDjF7/kolKh445uxAVyjMRrZYas
6n5TWT6w5zOMGh32QvGcejstDGD1rymQ8ZL8sXZ5nw1SJ16K8ybAorAkDcGP
cHePoqtIzGBGMdyhXuHaWozor7qyxzZWUrzM/L1i5AP4t+B9lAXlu6CAXMMm
3MEP72Bex4AeeINNAVX7oG8MkjjnEncBGaWDpYoDalA5k4eQ3XeVAzXC3VaC
H5fLSVPPkeMRkdvy7j+NRGEpoXauaq6zexxfSlKCn9S9C/ykWqWowK9DvEj0
jDh+0gtnyWqZLCTsJVwqaHiGs1A14GX9UUP5FGNNwag2l0PTOp8DZYZpkpEH
xMdEAIcsHO/zFZBYQYze0hRYEY26sLA8UgNoV/dUrYFJGFrqG+GdmQCoNzC4
5398PJiZQ20Rx8eOvh8w2KtLgtxnYUbROoaBJHkGY0YV3RioeUXEMu3C5ojx
QlzVwWt8bl01YsSzQi1z2GOCPAudBEY6Hqm3XP+HSFTMT/iHuPwIe0HdHEJe
pP0Q+yVVyqaFt42gVDFAVHlBTFGpAF0wRYTiQYtgIbh4jHSWw56i1ejgKsZZ
QUycUlKk4lh79Wh2iscsxmVOtA3414O0dT7uCmKVMc5LYR0Nxg6Q5q4kAzdi
CmbJuNY5AlledfAR8RGyVTSFZ78nnidmwB/vf3UfDL2C1U/bvsj5ftMizJ+F
DAlOlTJmrOHai6sGtuQlUBPoSmthNTdlupDRlh/gsWuBxHElc58LoPM8xfSe
eeDP3yc4ZJIlMXd1TUeXK41pYoAuinweAQ+Y+WjlBNHAFyFIcy35ELu9y/9E
RZQbBlFFzR7uzgWrawkK515l2yimLekDmMqyoHeT96+fzyRRy4sTw+nTLBgu
FSIjt1RUgNsfk9a66F6Q+Foe6u2wQJsi4ugkplnGc+6sQnNR82wWwgxrrpmt
gkWBKSTtCjSGU8pYFeh7K/CPQk9HIWZ9YgRMiLOIZtpCwwI8pZGCzwznNlXB
J3yUoO6OgPNGzYFns2+t3tMG/cZy4M/YLrQSws/EUFxccR3hh2SbUU5VaZjY
lLCBLC9SoDG7x2MEsClp+RIaOeu4WJ2cYJipEeXOzkk8s59RQUCShZy8f7+Q
j7Qi8q50ZcCiwcM56DIu8XJfIjiGBlh97/UkP4vxSMTBSmD66BgnRa03dMPc
jNjHlcySQQxyrbLJe3xD77RRjTnb9nClOUYG1uJ5m9Zsirciws6yEhvptRKb
KbH3YcisAotJIrCOeM9CxEHySERkoxlzFLgMgSEMWojNJYchVpQ11x6zIZRz
vRZ3busevzOFz2BxbGnJDLYB3L9dQPWl6p4CFJpD7woCXSlDnIenauJ4H6cj
1KGvYIrgdnN3Vfyj7/F/XFfTIqYwGAg9//wz39a10AMfj+4+lKq2tD/k9D8m
PvybDsGc9uOHcBzqnz9+FuGTyfH8EPes50NuiKnxJv78801DFEEPvrqXi/dl
FxL9438Ui5v+7+ZZ5PfC//MWQ7CJoNA7HzWEbIKu3X5xj8f+O5zIP3A7jUd8
yhATm3/bIW51R26aRTIlWZXN7YOHQKrwVugHD5ElhA+dxfhPZogpBvzBnHzq
zwdw8iNteHk2rCpqJ97gdUnUBN+D15e1u6Bxg74jAaGL8BrGqIypg8wqj8/U
YZC+X1E10Vuq8B8Bd6pqLuuubXYqnLXUSjsO7KqdJLjgh+g+1kzdTJUa5cht
tqwxkIvP3iNmcaIc/oOTFv47ieDXSSJwaGqqzMcHr8plhUFYBl7e1b3EwOOi
bleLkVL2VdmRSVj68FpluG9yjDiGjUqGmZVNtRalDFUUUZejgHocoF1HaQ6g
QYsbUz+SSt/RVURTnBsIVxXX6GXry+BgvzwF2hJ89xRNxnAfguE4u3/k92xR
huz/yKaczV40JF0UqC87ceIhR/ovEXyGwDUE9nWEKaFTsXc1MJZ0Sid+dStW
dc3lfxwb7KjYjYuer+MaHXJmhsCmb9kYY/RNIC0mU8ezEwRHMordyQnsofWb
kD5jelytBr8Qtlan0FQHrnCo/KBIGyNCS6p5RkTHDhymLbpeCKWfJbH8wtAB
66I2AbWdQwNR2JmRQvR2O9C5pDwKI0GKiMjkN+XZmbvmwclKs+grrpogoHjH
S7K+Y4ZCmXKQBLtO8CEQQHXsRPBtfiXqZgAzvo6c0xtWsOtSl9ExlrX8XDsS
zKKqtgQtMkj5PgdVRThYjXXGIOGR+l1+bI75ZRjyjYLUUd14gBy0xqCjSJyW
XklNNiYxGliwzzHguuqe241Kd/OO8A3orMMCxgdDWDrdW+78hHutpebbAvZV
kPDcJlEzBnSTcPkVA5hw8zvNM+rY20Q8gGYo8hRhN6k8s8KUIOI55Iyk/sCr
bWs+7qFcclcYPL+7wNxad+j+doSF9aN9n3PkasfINjxPKr0WCjyCaoQcznKc
8miKLwxgJU68Qxl6nBys9lfa80kEF6ZDuVvSEwbpN7d3cP4N1k+etS4ZwWZP
HM1vSs4JJK4eylXoht7dLXeLVEXVewsqabKOFL7B6NHPWLZIEF3y8LoRyKVj
EQiioULqODtTJ+/4vOJcZJoG6Io/vvpeYvRa/1IPEdb7s4Ylx6rK8u8NAYgO
t5UAoGBeSnXbWHE+hsskHuo+p04ccScGfo3pBJiNtmpR/cNMhXa3pDQMOzLP
kqQiW/phRFRMlRJ1Y8ksGdeiU6vHGBIIalSLh7fJQY6N7gnwBDj9aruJ4N0D
YOYtcDaeeQimRGA5RAPFjcMwd4v9ALEb9nm5irUbrliSVFjuTKOKjpSCJqU5
Y8mWddHXlvgR1A9dsFCnUNhUnVMkMJB57yoqlZYqcPylK/IOZwmva/I7N5M/
EbqnGsJmaX0Wg1QeheQQaNAjfRxNiGV3c4QaGEBF62E6zLG/gDvIUBjYkNTy
23F3sAZJBY72eBg1ekz1ATMsBOb+gsMkXPnqHQoi2epmIYb9Ze/er6iSdyWO
SCkdWITXW7kvZnVJAvYxxGAWw4kWPglUwQnfRyFERTzUXdp2oB934KaJcgxf
SoDpRlOXo4RQFdxBWsa33NBVkYUYVWVb7vmaKThK6EWQT0A8FbJSO1SOc+Ku
xKQXo3saYkm2qD6kY6ShxlW5L634OCilyEnJ0q6OkTyabbsaE4BEHyG1NBjV
qFVjpwg64tRGkTRhzF0vOakmHAPbta+9LAmJiJ6CZPlo1d7i1xLBY9QJIfDJ
nAHfl2VBKW9ci86oEHe1s2u6nyiw9TpjziFFbQ+aTGDTyNtBMkBOsZCUSq9f
iJ93coW19JfbcsIvNcpBv5wg0U+ZYnT/IpcTmWaMKTuGjZ2iRG4xIHjO+D4G
HTSuLyoHp3fOc+qDi8rmV0ihR4/IcLz5yPgOjW4P77VDistH5SWqnAblPUmi
DHpMyBm9pggYTq0Ab7AMp9ZlZQaml3GWCJyWZLZ9E3fxiHo2qoDvtSMap7ux
mu/tGt8TJe2CMpeDd85jnR3soM49qZ10Xeh4OqxfqG9Nn8qpFZQx1zBEx7C6
EPcGP/F5L2Vrc6p5JBRCad8cuPts9gMq65hMTSswZHPpzncZtnweCgMoK4sx
I0sPgs2npk3EqLSkYWwyGUOkk/ud1UQCx2RuVpIXDJS9a0XQZwBw6omUwQIV
L0HcRyAqBF7zKZAQtDTEUuY0DwoxKUaD6oOY9hj4GCkVjBESTkdmE5snvJHS
ixmXiOTl8HUs61BBZDKAeHQhGVmivSGrLtPYhms2tDGNvEXaXEd6D4styZwo
HVsUNkPcPEqPr5WoTgu0gxV5CVO4+Bh0DMFi0nlpJsvI+0slz64RKrUkycVk
TlBHKh7qnmuuBFUBZ3vgsUX0qOLyKauZARWFjpn9L9x+iOr8nRdcrxyeeaCk
mPOp3SNWBi4Yk/1ePX384vnzpz88efrkdByLcj/OdNmReTo2URaPvvmmOPkQ
iKG7XiAECgMLLEDiw/a6CyKlyZZ2HJeT0Smy5D7NGgaZRK/IOtBQ3u3TvhCm
/jY5V8SBesFCdFLVObGLMRSUKPys1mp2E8HyxjuUj7/NE1SIdvCtCTWYkfij
Yz9v3HtycPPIuhzEwUuxwujXDr74aB82vOSV5nJGdm0pXemk/Cb2Mip6HYP6
E+gpY2j3b3PTdMMQrYeBWFBiRrh4ilFCqv5e1jupojRTJ4XRv003n2QylnvL
oiOEPqimfmSLscQi11yvQVnbXIZxEsjeCBHYvKSCsaDI8DZsGM2naY1cZbhB
qVOlb831C6y1ZoB6BgPT4HD2AKhjHYlK7h1/IRivtIociUfLu01sJviGzVmR
FGL5KHhms7EfximFZgNfW4rL+phbaIRKP4rCuZKrsdvMTC7fxDGGf02dCNO2
0GT/0H1pxuiOq3FTDyLirYl171GzIv0dDYBwm7RTZ7hRR80Ql7vpuMUU8w5N
Pm6T/j4KkBxtFKIVKx5BF8FGCEmd87gRv9EcobIuUwYQy5zIOIDK53NfVZgi
JLLCgI281mQUuKnWuovYTxkJbiU929fkfO4wtLGrIl9I6kmkDhkRYpGUiY40
9blUjof3s9ShigzrFYWObxS252B8oPoGvBbemj5jvi3twIYVFWWXlJMm4QOM
smDkmaeRc4n6q6olvS56lKjeRzGYNJnA7TaJWDtyK5lOJiIFaE4sJ20jU833
Wru1Bf96PIZLzT8oBkIUS4vIi66tCLollrR2HVZ/YgBccHjCkiQWJMWFXPse
CbKLpDUOURzXILojnTZiIiBgidhM5wdwHoKfX6bTcRwVsczOmnRdhLwOOx0G
0mtMoaPQOTeJnLyOntHsg/EeND7fKbQajdLnvGwa4WeP/J7WmTTuXkHlCzVW
kApBTDl0GbM9niYHnDEi0Ev+uVsbOoHBwoJjYvvFtica/1hvjdNb9Ob+nANg
IxLKKKDVOqt6ckxgtDOsWKTZ9/ARhT7jjgtHZCy7inGKctWW10lbmClSzWcb
zHBPFs+ZOGJJlZoU5luftCawhJ+9HVx2hItGknTC3ChxbuhEwreySuJp8YQ4
ei+lJ0wVxJ5c07Y4qVB0pbHWStAMfDza3hIUME5EwH6JFBmuHQ6oqna61SLl
qFgdjeueKSpyx0yn9UQWSAhUxO5IwapUZaVqLjBotA6ozSUJFVy8L0j35Nlf
1NV27b0oSELCdJgmT4tHOp6MJmaQ0Srj448UV+x9qpCLmlHR+2QOGc53XtPf
FdqRYuT0GFdBMIqCzo3biBCAOsJ+1mwJ5EzP3iVQYV3JW/ZlcaFcHTzC7yJ7
lerFnZyNTB73w8QUCUfhVSU8Fin+BuqmjQk7NYQ2qhRrV5HoWtW9Gdozgu96
457DxsyMMIFnhjDBp9JmjKrcGMGvhR1ppCA+Vmv7w7If6uEwqDEbRiaTKyTp
YNs3ng+6cNR7JOvEeqkDZyTZxFW48rjjgaiqUqkjfK0TyOjg5xGwIX1vJFR2
5wc55xDLYm1lFK5zbYz0nFSfcZ0tZiOcrin+F7jTtDuFFbS8sds7Kw74BVhF
VDbu0PrK3iAuFUuYIG+waaLO6iTumXh3roWb0z9gbCffRA0WHg0qE05YHIPE
9b55QTCuy1XXouIOn4OdbFj9wQgfMw/GRbA202S56YsFHRRzlU7jBTsLlJNZ
VegeGqvJMQztyV6R2n3Jhak0nqfik9Q0RzRs/7nJWsaWPRpiW6X6fcnPaVEj
v5JU9kerxA0jyJ8L4DU4dQLfo7Q98gOTNHBixlLAnFqtwS4USwlR1NSDXmOf
/s2YzkOGlGWIbOtNRUZY6AHghtnWzdugr/rflgGDp1ymix0PZP614KgxECOk
KMq9IinMOBWZQ5E4vqThRRX0EypC3SQzIQmuLiQ6hMzlDUEukhTx9qE6MfY5
xUtxN+gDnVJ9upHxbFHjTomGd4X7doKBTj3K1RPpfxzRH/dQiLsTMp782Mpn
Vm8o2XV+x7nzO+vCox5p2koN+T07khXtLZNcnEm9I3yij+pH7sX5DLOkthXj
zJMfLsA7kJmlAdAzz8Xff7axhxYxJsTHNfNAFRLzP8ueEMtHQiCuX0myly1n
I9wsOCxsqYlckRopDcKcl9VFeVljYo7LFLfinNCvUTbZmgiNwEiZ39EuFJzv
YsBXrMUI+Il2kIiyNjjnGnMdK0pAvG4lZkYoWMexrCT+M7T7elVcwLWnq99L
t1JJIJHUjcuKQfRFWoz7/MDVet5KVw6qs9hh0gLvcwTMpE0cEHytK6+22tVi
R3mrFQNH4TV2YPYKANU7zyBOeHFZbg8hBNKELhoW8Y2i2ZboA4oz3WLZ26ip
xXSSF4WYaPs5YKhwjWhSuZPKNwAJV/JinHZrvVZ4t5cI+wLXn8rB0ROOcAu1
wD4g1bAyKaRpbgVQS0BZ4Q6w5125v7iGK/bzz3lM4TgyyLedQt4NNdKgrjBw
VgM2+Zx7nlsqDkZA95E+oMtKGtIS8ZAf62EUposyTQ5bSeUVeIxeo+6yLGnw
wn83o5H63rn0t13S92VqD4wG2bHRbGWL9Q7hs7gMkaVhDRZBtPSNtcipoEtR
UANtbl+fo0LW9TB3mRT2Pk4TtViNKCD4Y2nY8VAVpTLZXXo+IHyS2bQu2Llu
/thUz4tEQYjbhjkGdsz2uAGApyNlREtIVrZB5qKsKqXipLUnpnNsSo9iTK0T
KLbB+mukA6pt17LPa4diVmxdZs01pn6w9oI+HJcZzKBW+wPx0tFFnxvGtUMS
/D+tXdty20YSfedXoPCySYr0WnJie1NbqdLFcuSYsVaUk02lUglIgAIiEGAR
oCjlD/a79se2rzM9Q1D2wz5ZNInBXHr63qed/AhxQ2bqfggF3aE8UsTtgRlF
oBVs2Eoj60+LthOXW2jq3wzuikpraZ7TbupcHLarqgGF9a8Ag7V/3O9iGADg
q5wL3uB66ClUWi3dDUwdZjdUgGnvH4XpkLkUGqELaxeN4kAFKEW9Zn00Kmzg
/QtmTX10rj1gaKBT7zX1Vpka5ecSmVh/I6hsxS6rw6GJPDrJzV1VnPU4mAhj
x4IxPnaFgES9ev6K25Arckc0Rwq/CbSQ+nUk7CzttxQ4p+okODCQAZrdt1Vu
uh1WhN2TufRatedtwlhN+CFCUPCeG0VlPBA5nH3/4eP7c24UweAfxBDhSd5B
GVD1FUTlVwz5vvTIa3ixDnR6J/iduHn1hDfqCVUxCtPKIgnIPexHZQK3h5tk
O57vmyoPVY1axWu/G64RWU4ZdzE849fk5gbUoe1AJir6JzSXpl/NKaVkY7J2
995tH4hzjQSJWuF+ZTsIE1XaX46f2BnxtWo9gvha91y1nPE4cBHtBeTULIlH
oX9Xkdq49vfQFMglSXJPEiGkBTSJpaf6InXcqpzxm7/GJjea3CGoyIdeOTb8
VjZYQm/cQxbxDAtXY4xJYtU9Klck+Y1s3VqPm0g4p5aoG5nvDK3I1Zc8Q8y6
7OAEuSMslm7HacXa1Mv4XYJJmBoF8gGHEpvz81xrG7OssP6opegitWPWY/nE
jqLDfSmRCVBVa5i6AKyR23mo9sE7paNvw2nlhanbsnFJTjDhPIBIwzIjeL1D
VGTOKCw8lz+gekrLNSpl9MZkACYZm50+JkaX/6lJwbD/ns3UcPC9ws252goz
XkhrNi94xJNX5Nm9HMw22TaWdiRZlE5ZzYhuUGs9eAhUk+HAy6NItL08dKW1
wG4vNsVyCrawpGoOZmi5xr4Ih9X77zQSJHGNMILk7CXGPgyzGMMSIt8acVBR
JxeSHmtUoa+qs/GXBqaZSRMLHtK+kF5739ujUHlmfkAZtgZKPbDxweAQtiNa
0yf8JtQZVQjmkPEloLHDu+KQTiOqv9lsCYTuCgiA0oimoNPDY1/cXE1JzInN
wCk5/mbRb50j5c3Afg3M42lLiAIjvG/zwoDULgfiLXvdCMwwYR9P8XiMBdSO
85ARGURcJwoDYKKR3MacLsPw6SVogN5nteukoOKndHgc/Hspkwvj2wJxM60e
Jh/X8I/rRpGA8oXawu+s7f2+qh6268/1z8VvEY0RxpgQsC27t7CQm+Z7z6m/
hPWimOgOh5gyAqXMYQR/14X2sR7SSkGRsBj6IUKpcYt4TFtGB8F6D9QQwymO
MpePHjZZWHEytu1sOLokxkXxxQH0S3K5f9rk0/2bmu6Ku2L+NwNVYorf1Jhh
h37QPlqjzBK2AVMDae2Pf3YLzMMaJ2Xb9Q1VTuPOfvdHFJv1MbWg3kSZc+x5
lziozw93M2LES9e9kpyAxYb8ee432n39kTslGUxDdv9pXhqFzCb8mK9SFbBt
zsVkW0gtSlx/ZM4644gbveKw5LwkvwMK90DgmTax/FpC+w8QiIhASevmETv/
SDyULllwfBAX/FYjv6oQxIsPioijHOwwzSiMc5RcxB1NPyE4ywCU/Y6zonxf
A/I83vp+y7goS31yBVQ3wiMbJ2ezq3FS9Au+CSc/nsThAOQnVdZkg3W30hxD
LTNvc9kGtDSqQEjia+CekFEEf57rg9pfZf8Fv/6KKe3kNMNGYLmVlVRUEXgL
f/sNxj9+iZ6FMylqxq4FD2B+7qqc+67CrejVa62tlXs4u/m2xy6tk+NvRmL5
S3duYmcEJtHW7S27ptKDRkrK9wLVLKMZEKHtOKeNMbsJKga7VJOrghyTeZKW
2NQhB9WgSPlqphSuGojOpdiFOKfOhVzqzozQhUUJ9nsvsoMbh2UeYlnCGOkF
J+PBlqQOYxjoNFUsrNTfPSQxrkaiuWH/EOTND1g99xVIoQZZEVAzEC28vgGt
z02SLisF5qR1VBvsKepVDCvRFWZh7gGavDZqu6geGBcODutrOqx1zpEKMyIx
0opdfV/hI/j9I2gE5vdAhU27q4ucE6Pp9F/ggG/I4UzB/uZRqpXZzxnQWxey
bLaOecJ5sCThlbmmPPp5IqWCesuNP1Yg0fZC+K68CW66C7CL1M0EYQ3YwKau
XJm/u5HB6Lvy0ao4xsUdGLtSnL5g8vCPv5tpmjIDO6Hrlo8Ka0fxZgI548WW
AstiAYZpgunVxS4YyJnLupdOszCNhzea0yooXW3jvB2W48wL17GKs5/Iwp+4
HltfJeduTBmPT66s1myNMkkthaScBrE3Ya1yf03nkdWsodGds0XnQQgNL4XT
OGiUOPnBBKZxL5GNoHOdcZ2ZwugVzsFtkjxmJsN2il0esNdeu1p3FPod2Pg0
CyDcJPE64VqpNFFMcekp4EvJKp2FcegGOb51G5+wK3BEf4Ax9PfyczNUk2QK
frsslwwTbWMPVMCyghqMNLiBJEHlDLGRgk+eWJcb4uEm51bPum/Fg4gJ8tJd
JcQGQF7hGB6yPk7y9U0refQkxQoLauAUm6up406eOwbXCv324dXCcW8xpxUs
zXbdwTUD/rLp6TNfO+Y3Zd+v/R0k7nY8CsY+Ofd0MiXxKl3HDOdlEEiUm7Xn
5hVXnhiGTjMDYUD82wm0kOPX1T0H17h7kWif4W+6Jlt3ZcvM+IhjBCz5tw25
LINt0u+C6d5MLyco5EwzoXyTLXu3SMKFiIQRWZvka7833zmSgck8x8kQCj29
ELctYVroZfnX1TKDS/MFVkDVyfHz468nR0eToxdfwuNH/7CSiryY4QzEo4kX
CWvAuS3VumBQNqDqU6CxJjkDRX8O/wk3HM0AHPh1eKY12lkLyqwIJvdui1Xw
MEewJDZmKsx019bsnheNQjWSR38yde7sU3FnewWCKWL201utkyXxgM1yNRnS
/YjkzCLuKMIpJ4FScuY1L3H0p75bAGhY/CklKk+R/aS4Ea9GRnXQO0xFgX01
gZfcgn3697zdzuti0m3naOC4En+U8Szh2SuxBNX4+sIVXdIidMfI2gllONMV
14G591aN+uyJRdJbqMouiMvhymEDbqYutchxhG2nPSuQYF2aGXrLWMkJJ+E5
UbUir7YqNUekEat08RqaVlcQfVyA7rFOZnftXcZ89n27rVARaZqijzWJQhM3
bMCY1lV0A4cgfdgHG8q46DsfNGho/RS7Wt8ScZMyjuTQ1hXv/u0Wnq0r1QfW
cJygQqA0lNbj1vrzHN+ooUvQHui1gYnZaQ80Kn9x6Vxek7pGE29L1mPuNZBe
esP17XrCoSHb3UmKphZgRcOC8kEQXL9hVyWeAQj68yK5fkTkQs51I5GLu0Ha
bqxno30jzVn5hEQ5NRQbMTxzQutsk5EDECnTuePVbxb7MAc9gwPeS5zri1HI
ynAKVD2Dt/n8wzSND5YuXIz9Q3gznjGvh4+GV4M5mqZustuuVtwbXbM2CVJB
u7IGumEUEYzK+RS/Zn/v44t2zALrvuok/ZCkBOc7kS9Nob2ACS/uaq6ygJvt
yji3pJbihvhwBfoW3KJFkDnTz7ActQA9V3WqFycuDHLHwwEermIMRCvKLZbv
ojXFGQU+PxItb71oorx5eOaBqRh0JbRUkFGaUFcI92FLrXHbj0bRlgxN6dtD
wswcmTfTwrt0qBDai6xh5sttZ52Adfab97gF6RjB1grOC67vuSUrUlWylUFm
80OgqyDmKrwjcaOZUPtXf2MQIDWIYyH90F2OuPiulGBMWPX0ntwXxngX4wdW
9Zw0oitthWTblXFasO45Jj9PBKJk6GDdvAJSpZsyqYp+OUFFeF51k81y8fL4
5TdzTrXhE5Zg5wzeMat6l6JNGV7otInUAHWkeefNQan7/HVAlZRj7Ak6pbyk
It3zQZH8ks3AB9zMin7hWHpn2QYaxLhYSvPG9rmOcyDHA97hUqBOz64Cd4ls
snjPY285WTJuR5HqgI5SUP1T7jwluh172kAR48ySlIYMjTTYPlcvTngJ0l0Y
N8N9h/wq4kUC10CAQ3L9gpXEhhO5nZ2fphP0TZlq93+7pXC2pGueCQVR57cg
o5Dd4kRAFBvtqH932GnY+ShT3BKyvz9jC4NFRAIf5vVyZG+Dfd5OD151MlMB
+YkRSQO7bFzPX6tAkmDDIitUsUE8h3bqFC3md+i52b+hNIe0QT9TarVvlwzJ
JaF0+7xPRilXWKPLehrog2hs+HmBbAJNfUG/3fME2eoEpxHR6knjwtahNbWq
KoOmgFFLP1okE4NrZt86NYSEPeWrDcXY7PEQr98hy4nO0KyJ5xNlw3GYU8oA
K2Ca0jV8zNTDTkkCVnc+SX4v8xHRf/W34bs1PQ+db5J427Mh2O3Xz7ADqKKo
ZzDMWJt7Me+qiGehMu951gFmFSuGrUv56bl8Al9UK+r/gUGeUsL0ceGZYhtZ
dhmJIjA5AmlkTqdYrcusc2mc9ldwhVy+LA/0xP1zwG46NJ1RVt+pRy7KLdQk
PiLdF6No8txNHYwlEy8gvV366yJisUrFgCJUdkuYhrQwasjq440K0MGReUKm
QEvx6T6SVttJn/xpyv5mY674e02dNZyS3xDGHLdiUD1/RrBv+JKKuySjW1Ef
R4jVTm8VhTls40Mu3qsfmT1XvXTrfvbsWSoRJERkUJLgqJteYhdmmHeS19Nq
+o5cTGJ1bMCK9Wox20J7hc5dTs1WGeiTQ96wzi2KVhQSCxkIB1SrIWbrd1z9
9FEu8RdBAJ1SFHKFipj1hDaITlbJXZh8Z4McwaNaIp+phv4l3pGHdUY2dXpo
0ukA00dHcqbdETct2Kya28rni0mALvNZgAJoJ10cx7IS/OmQsNEABmfEq/ns
7EWMOzGy48KJVbEUmc07S9F1v3HylkKVgVh9X7RgyZRVXVvOJlImZJPJfFvX
RZ9w70GSRjB5aqkYQuN5A3VPEDFJER9DmcNgzo1LRODMVYfu8fH6ktU1SkRq
SEaphCGY0+GfmpVoFsjLZ8esxrdro4aicX51ooBhmlyLhQOgZzQOySC8VZZ6
9hiyZds+6iCZIhRoO2RhmXJmeBjFgSFiPOOjPdUpPMmbdoNOTjCSckL+LfJ+
gG3shVZ8aPPpsjHlN8WDpHnb7xagBhQx0s44obatmNoU1WMGkzAqEEtfZMur
ohfIqX3PKSt/Bm3IJrZ7QcTJDq7T+kHdbgeXVqvTcoahrwVyj3yzIt/3Ns4y
Dpcx7REMkbDwJqB4Ywg8Be70kpodvZ8lSZ1I+iC3G7O44ojzUEqFBtm0+oZx
GlobruYEI4SHgDX/DKygylbJedE0laBKvWvLJjndZHldPI5Hu7Ldw9Wmo/It
sU2SNZ0NhaN9MlPkKsU+zIcJz1Yf6CIoEVlXgtrPHcZS0It70y3Kdlk01S3l
bQ1cCpcSjeah93tcorXaAHu71DbNSKxdCQzj+JWWgqNXVzFzgMcjE0fyUVLj
bMY141Vp2pivcfEhpA43kcFqyUzPEWEqA3mtV1p7NW9ypzsBEa3FqSRbeiBx
5VuEkMlBxGQbwgKiDz8Wux6RIk6aJsOQT0HSEA5lHMWC8DP2uTmpKX38rNwg
4DH8YAo0e5eNk/NsBWwwOW13sFHj0XnWVEWdXICEhO9AIp+1LZJJ8gYTbd9n
yLnfgDhptvCrt3CMFXKG//4HCf6nxwZYLny/qe6SH2rKinxzD+wCOMAS3tlu
xyMbSRgnbwuMvCQXIIcw8jTeP/YxBhkymD9IMKClBmYckC986kBPTL4vsJfA
eBREssbJD7BpyXTxFkxsGLej/yAKmhaPwJH+2gIvq0tME4DZeOE5DgMc49EU
uHxyWoOAKwvYGBNS7/AYpkB/JYjo03axqMZs3J5WSG1jY+nC322Z4VGftttF
lmcYjP2wARYy64sCU/T+BYP+DLskwcJZWdyVk19gdstxcg1spoHjah7raofN
JODTD3j0tFCcSkY96B7NxwvQNoCI4HO7Ku7Qv/YnWDXVeDR4kX6qeuRcbXJa
bHpeyc9Zj8z2fZbDFXC8ZNssMjHXfoEdqoC+ptmf7aZ1SVzLertcjv4H1XLV
Ir8JAgA=

-->

</rfc>
