|
|
|
|
|
|
by fulafel
795 days ago
|
|
|
In what cases is this kindof plain auth code flow still considered good enough from security POV? There's advice eg https://www.oauth.com/oauth2-servers/pkce/ that seems to say you should PKCE it even in server-side auth code flow use cases: > PKCE was originally designed to protect the authorization code flow in mobile apps, and was later recommended to be used by single-page apps as well. In later years, it was recognized that its ability to prevent authorization code injection makes it useful for every type of OAuth client, even apps running on a web server that use a client secret. |
|
|