There is some information out there about how the implicit flow for SPA’s is inherently a less secure way to authenticate your applications. In addition, there are documents that claim that using a PKCE Authorization code flow is possible with single page applications in the browser, and has less risk.
Is it possible to use Okta’s PKCE Authorization code flow with something like say, react or even a vanilla javascript browser based single page application? If so, what would be the recommended way to generate the code challenge?
If I am totally off base here, would someone mind pointing me towards resources to better inform myself of why the implicit flow is still an acceptable means of SPA authentication? I do not have the ability to authenticate via regular authorization code flow due to the architecture of the application I’m building.
Hi @dragos, I’m new to okta and I have been searching for an answer to the same question. How should I implement the code_challenge? I came across an article which explained about oidc with pkce flow. But I do not see code_verifier or code_challenge being used in their code. Could you please help me with this?
P.S:
For those of you who have been searching for the same refer to this and the following :
Digging into PKCE
You should see both the /authorize and the /token calls in the call list from the Network tab on your browser.
In the auth/index.js file, there’s a function named callback . In this function, you’ll find this line:
...
oktaAuth.token.parseFromUrl()
...
The parseFromUrl() function detects when an authorization code has been returned as the result of the Authorization Code with PKCE flow. In this case, it automatically exchanges the authorization code for a set of tokens by posting to the /token endpoint.