- Home>
- Proof key for code exchange
In his post on The State of the Implicit Flow in OAuth2, Brook Allen mentions several reasons why OIDC/OAuth2 implicit flow is no longer a recommended approach to protect a public application and discusses using Oauth2 authorization code grant with Proof key for code exchange (PKCS) if the client and the resource server run on different domains, or simply using cookie based authentication with same-site cookie policy if the client and resource server run on a same domain. This post is my notes on what I have learned after reading Brook Allen’s post and also the related documents from Internet Engineering Task Force about the security risks of using OAuth2 implicit flow.