Open moshthepitt opened 5 years ago
More on PKCE: https://tools.ietf.org/html/rfc7636
If we implement OpenID connect - https://openid.net/connect/ -, would OpenID give us this functionality?
The gain I see here is that OpenID might allow us more flexibility with different kinds of integrations.
Currently, public clients (like javascript apps with no backend) are forced to use the implicit grant type when doing oAuth2 with an Onadata server as the provider.
However, it is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely). In the time since the spec was originally written, the industry best practice has changed to recommend that public clients should use the authorization code flow with the PKCE extension instead.
The OAuth 2.0 Security Best Current Practice document recommends against using the Implicit flow entirely, and OAuth 2.0 for Browser-Based Apps describes the technique of using the authorization code flow with PKCE.
We should implement the PKCE extension to make this possible.