But wouldn’t an Authorization Server be expected to allow this?
According to the last OAuth specs, SPA should move to Auth Code flow with PKCE key, right? How can we accomplish the auth dance without allowing token requests from the browser?
But wouldn’t an Authorization Server be expected to allow this?
According to the last OAuth specs, SPA should move to Auth Code flow with PKCE key, right? How can we accomplish the auth dance without allowing token requests from the browser?