#StackBounty: #oauth #oauth2 #openid #openid-connect Why isn't PKCE encouraged for Single-Page Apps?

Bounty: 50

A lot of services today still recommend the implicit flow for an OpenID Connect/Oauth2 token exchange when developing Single-Page Apps. (See Okta, Google, Auth0)

Some newer guidance out there points towards using the Authorization Code Flow without a client_secret in the token exchange step, which I can agree makes sense for the reasons cited in the article (e.g. tokens don’t live within browser history, web logs, etc.). Why isn’t this concept taken a step further with PKCE? Instead of omitting the client_secret completely, why not utilize a dynamic one as it is recommended for native applications? SPAs and Native Apps are both considered “public clients” where a secret cannot be safely kept, but only Native Apps get the PKCE recommendation while SPAs seem to be kept in the past.

I understand the security implications PKCE is trying to solve doesn’t directly relate to a browser only context, but couldn’t this be viewed as a defense-in-depth mechanism and utilized anyway? I know from experience Google won’t let you generate a Web Application Credential and try to use anything but implicit for a SPA, the Authorization Code flow will expect a client_secret and the PKCE exchange only works if you choose a native app credential type but then you can’t specify https redirect_uri’s for your application.

Other providers allow PKCE with Authorization Code flow in a web-context, but it isn’t recommended from them. Am I wrong in wanting this and utilizing it? It seems fairly trivial to add the additional steps of generating and passing around the code challenges with the Web Crypto APIs available (targeting newer browsers and shimming as needed).


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.