we recommend using the Authorization Code Flow with PKCE because the Access Token is not exposed on the client side
But on the documentation page for Authorization Code Flow with PKCE the diagramm suggests, that the Acsess Token is returned to the app. Because the app runs in the browser, this would mean that the Access Token is exposed to the client.
This language is referring to how access tokens are acquired in particular - Prior to the authorization code flow the implicit flow was commonplace. In this flow access tokens are returned as a url param in the response, and therefore exposed to the client.
Hi, thanks to your response!
So, I understand, when using PKCE-enhanced Authorization Code Flow the access token is not returned to the app i.e. browser. This flow is more secure, because the access token is never visible in the browser.
But then the diagram on this page is not correct, because it tells, that the access token is returned to the app i.e. browser.
No problem, happy to help where I can! Sorry for the delayed response here - The diagram is correct as tokens are returned to the app, they are just not exposed in transit as url params with auth code/pkce flow as they are in the implicit flow.