NitNeKing
Very helpful article. I had one question after implementing the demo (thank you). In the diagram of PKCE flow referenced here: https://developer.okta.com/… , there is one box titled ‘Client App (vue.js)’. I’m assuming you mean this is the browser (client side code)?
The code from the demo is all client side code, so in my head I had it fitting into the diagram under this ‘Client App (vue.js)’. If that is indeed the case, where is the backend for the SPA in this flow? If the SPA is making backend API calls, would you pass the access token obtained (as seen in your demo) as a bearer token to the backend API? If so what checks/validation should be done.
Again, thank you for putting this together.