Implement oAuth2 Authorization Code Grant Type With PKCE

[moshthepitt]

Currently, public clients (like javascript apps with no backend) are forced to use the implicit grant type when doing oAuth2 with an Onadata server as the provider.

However, it is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely). In the time since the spec was originally written, the industry best practice has changed to recommend that public clients should use the authorization code flow with the PKCE extension instead.

The OAuth 2.0 Security Best Current Practice document recommends against using the Implicit flow entirely, and OAuth 2.0 for Browser-Based Apps describes the technique of using the authorization code flow with PKCE.

We should implement the PKCE extension to make this possible.

[moshthepitt]

More info https://oauth.net/2/grant-types/implicit/

[moshthepitt]

More on PKCE: https://tools.ietf.org/html/rfc7636

[ukanga]

If we implement OpenID connect - https://openid.net/connect/ -, would OpenID give us this functionality?

The gain I see here is that OpenID might allow us more flexibility with different kinds of integrations.