[hurricaneSlider]

For scenarios where third party clients clients require delegated access to users, you can combine these two approaches, giving you the best of both worlds.

For example we have configured our implementation of OpenID Connect to use PKCE for retrieving an authorization code, and then when calling the token endpoint, requires that the the client authenticate using a client_assertion JWT (as detailed in https://tools.ietf.org/html/rfc7523#section-2.2)