With PKCE you can use the authorzation_code grant flow. The whole issue with SPA... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

krooj on May 5, 2020 | parent | context | favorite | on: OAuth 2.0 Security Best Current Practice

With PKCE you can use the authorzation_code grant flow. The whole issue with SPAs and the authorization_code grant flow isn't the presence or absence of middleware; rather, it's the lack of a confidential client. PKCE gets around the requirement for a client to securely store it's secret.

mooreds on May 5, 2020 [–]

Right, but even after the authorization code flow, the access token is stored somewhere on the client.

My understanding is that that is suboptimal because the browser has such a large surface area to secure.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact