Sephster
commented
1 year ago My apologies, it looks like point 3 was left in erroneously when this page was last updated. At the time we updated the page, guidance suggested you could use just the authorization code grant in certain situations. However, I now believe in nearly all cases, if you can, you should use the auth code grant with PKCE.
The docs at - https://oauth2.thephpleague.com/authorization-server/which-grant/ says that: 1) A third party client is a client that you don’t trust 2) If the client is a web application that has runs entirely on the front end (e.g. a single page web application) or a native application such as a mobile app you should implement the authorization code grant with the PKCE extension 3) Third party native applications should use the authorization code grant
I am a bit confused, why is authorization code grant recommended instead of authorization code grant with the PKCE extension for the third party native applications?