Closed spence closed 1 year ago
PKCE only makes sense with public clients where you can't store a client secret securely (e.g. native apps or SPA). I can't think of a situation where assent would be part of client side code?
Any chance this could be reconsidered? Here's an argument for PKCE even for confidential clients: https://kanidm.github.io/kanidm/stable/frequently_asked_questions.html#why-is-disabling-pkce-considered-insecure
Or here's another source. The IETF recommends PKCE for all clients, including web authentication. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-29#section-2.1.1
I see WIP support for PKCE flows in https://github.com/danschultzer/ex_oauth2_provider/pull/91.
Any thoughts on integrating PKCE into Assent?