Thanks to the new "OAuth 2.0 for Native Apps" and PKCE documents, we have a solid recommendation for how to do OAuth 2.0 for native apps.
Given that PKCE is intended for "public clients" and not specifically native apps, I'm wondering where that leaves browser-based apps. The core spec still says that the implicit grant is recommended for browser-based apps, but it's looking like the recommendation is to use the authorization code flow + PKCE with no secret for browser-based apps. Am I correct in thinking that the general recommendation would be to use the authorization code flow with no secret, and even better to use PKCE for browser-based apps? ---- Aaron Parecki aaronparecki.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth