I'd like to know, if deliberately not using PKCE in a mobile app intended for public release is still ok?
I have successfully implemented both methods, was fully committed to go for PKCE until I found out the refresh token can only be used once, after which the whole authorization process has to be repeated.
Non-PKCE auth flow, on the other hand, does not suffer from this limitation. I assume the PKCE requirement is for added security, but from the UX perspective, I definitely prefer not to bother users with constant authorization requests.
Hello,
I'd like to know, if deliberately not using PKCE in a mobile app intended for public release is still ok?
I have successfully implemented both methods, was fully committed to go for PKCE until I found out the refresh token can only be used once, after which the whole authorization process has to be repeated.
Non-PKCE auth flow, on the other hand, does not suffer from this limitation. I assume the PKCE requirement is for added security, but from the UX perspective, I definitely prefer not to bother users with constant authorization requests.