PCKE support?

[spence]

I see WIP support for PKCE flows in https://github.com/danschultzer/ex_oauth2_provider/pull/91.

Any thoughts on integrating PKCE into Assent?

[danschultzer]

PKCE only makes sense with public clients where you can't store a client secret securely (e.g. native apps or SPA). I can't think of a situation where assent would be part of client side code?

[adamcstephens]

Any chance this could be reconsidered? Here's an argument for PKCE even for confidential clients: https://kanidm.github.io/kanidm/stable/frequently_asked_questions.html#why-is-disabling-pkce-considered-insecure

[adamcstephens]

Or here's another source. The IETF recommends PKCE for all clients, including web authentication. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-29#section-2.1.1