Hi Goatfryed,

Thanks. Excellent question. Basically, with the authorization code grant, there are two "problems":

1.) Impersonation: somebody abusing the end user's session at the identity provider to request a code which the attacker uses to obtain any access token he/she likes

2.) Compromising the code to obtain a access token.

Auth Code (public with PKCE) solves the second issue and not the first.

Therefor it is recommended to upgrade to Auth Code (confidential with PKCE, meaning you add the client_secret) in certain cases. That way, only a trusted application is able to obtain a token.

I'm not saying Auth Code + Public PKCE is insecure. It may be secure enough for certain use-cases. In other use-cases, this may be problematic...

Hope this answers your question?

Cheers!