Need to think of a model that works with the security implementations of github

[GRASBOCK]

I want to create a purely client side app. Now I am blocked by a CORS error. An issue for this is open since 2015. Makes sense, that they don't want me to expose the github app client secret.

PKCE as an alternative is not supported by github; see the docs. People want it, but it might take some time to get it.

PKCE is supported by gitlab.

I don't want to have a proxy running, so the only authentication flows I am left with are

• personal access token; it has quite a lot of friction and is only on a per user basis (one cannot share a link to the visualization). It is a one time thing though.
• device flow; also friction, because it requires authenticating by writing a code and the app also needs to poll until authorized...

[GRASBOCK]

The same problem happens with device flow authentication. Access tokens are the only way this can be done purely client side.