Hi everyone!
First of all, thank you so much for your help, this is my first post but I’ve read the forum many times for help.
I have an authentication issue and I’ve been working on and looking for a related topic but I don’t find a solution. I’ve seen a similar topic (("Programatic" PKCE flow)) but I don’t know what the suggested answer (using openid) is done.
I would like to know if there is a way to implement Autorization code + PKCE but without showing the Login page (I prefer to invoke a password grant type instead).
Thanks in advance,
Each flow has own intended secure use case. You will have security issues when you will use it wrong.
Let’s say I have my SPA app with direct access grant (BTW it is a holy dream of all SPA devs) . I made integration with Google, so you can use your Google credentials to login. How does it sound? Perfect, briliant.
Yes, I own that SPA app and I implemented also sending and storing all user credentials into my oen remote DB - of course I didn’t announce this secret functionality. How does it sound? Insecure.
But when you use PKCE flow, then there is no chance that any app developer will have access to user credentials, so those can’t be stored/leaked.
I would highly recommend to understand flow and consequences, before implementation. There is many articles about that - one from many OAuth 2.0 and OpenID Connect Overview | Okta Developer