Hi there,

Great read. Very insightful.

I think you didn’t cover one topic: public clients vs confidential clients. You wrote the client secret may be available in the browser in case of a SPA. That’s a bad practice. In case of a SPA, the client should be a public client meaning it shouldnt require a client secret to obtain a token. (Since everyone can see it in the browser there is no point in it anyway.)

Anyways.. i’m working on an open source module to migrate token management for SPAs from the front end to the server side (https://github.com/oidcproxydotnet/oidcproxy.net) which is exactly about this topic and a question i always get is: can you model a realistic threat, a realistic method to exploit a code grant without pkce? What is your view on that?

Cheers!