Ted van der Veen
Hi Micah, can PKCE also be safely used by confidential (web) apps as replacement for the usage of client_secret? I mean, if it’s safe for SPA apps, why not for all type of apps?
Ben Atkin
History can be accessed with the history permission, whereas local storage can be accessed with content scripts. The content scripts can be for just one website, and if that is the website the malicious extension writer wants the token for, that’s enough. I think it is easier to trick the user to access one website than to access the history. IMO the bigger issue is yet to be solved.
Hello,
It seems like the information in the post could use a refresh and the code on Github an update.
The packages are outdated and the App simply does not work with the current Okta settings.