Why does embedded login widget uses Authorization Code with PKCE instead of Resource Owner Password

I noticed that the Okta embedded login widget uses Authorization Code with PKCE flow to obtain an access token.

Since the SPA can intercept the credentials the user enters into the embedded login widget, I feel it is unnecessary to use Authorization Code with PKCE (which could prevent the SPA from seeing the credentials if an Okta hosted login widget is used instead of an embedded login widget), and it is sufficient to use Resource Owner Password flow, which is much simpler.

So, any idea why Authorization Code with PKCE flow is used instead of Resource Owner Password flow in the embedded login widget?

Resource owner password flow was designed for legacy apps that can’t pop a browser. Since this flow still allows an app to read a user’s credentials, it’s being deprecated in OAuth 2.1.

@mraible Okay that makes sense.

Embedded login widget also allows the app to read user credentials right? So I think we should only allow trusted apps to use the embedded login widget?

It’s important to have a good CSP (Content Security Policy) if you’re using the embedded widget. This can prevent 3rd party scripts from sneaking into your app. securityheaders.com is a great way to test your headers.

Personally, I don’t recommend embedding the widget. I recommend redirecting to the Okta’s hosted widget. It’s the same codebase, you just don’t have to worry about upgrading it yourself.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.