[vmaurin]

In the RFC, the browser is named "user-agent". And in OAuth2 flow, the browser is acting as client only on the implicit flow. Also the intent of the authors for the implicit flow is that the "client" is a mobile/desktop applications, and not especially something running in a browser

[mariusor]

Yes, but I think there are plenty of OAuth2 libraries/clients implemented in ts/js to be used directly from a web application. A JavaScript client running in a web-page still presents itself to the OAuth2 server as the regular "User-Agent" that's used for the web/HTML parts of the interaction unless the requests being done are enhanced with a custom header.

For these clients saving the tokens in the local browser storage is the more elegant option in my opinion, to saving them in a cookie and thus polluting the rest of the browser's requests to that same host.