Does Authorization Code Flow with PKCE expose the Access Token to the client?

I find that two statements on the following pages contradict each other:

  1. In the overview page you state:

we recommend using the Authorization Code Flow with PKCE because the Access Token is not exposed on the client side

  1. But on the documentation page for Authorization Code Flow with PKCE the diagramm suggests, that the Acsess Token is returned to the app. Because the app runs in the browser, this would mean that the Access Token is exposed to the client.

Hey there @mm4242 welcome to the community!

This language is referring to how access tokens are acquired in particular - Prior to the authorization code flow the implicit flow was commonplace. In this flow access tokens are returned as a url param in the response, and therefore exposed to the client.

Hope this helps to clarify!

Hi, thanks to your response!
So, I understand, when using PKCE-enhanced Authorization Code Flow the access token is not returned to the app i.e. browser. This flow is more secure, because the access token is never visible in the browser.
But then the diagram on this page is not correct, because it tells, that the access token is returned to the app i.e. browser.

No problem, happy to help where I can! Sorry for the delayed response here - The diagram is correct as tokens are returned to the app, they are just not exposed in transit as url params with auth code/pkce flow as they are in the implicit flow.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.