How access token is not exposed on the client side?

canyon · June 19, 2024, 11:36am

At official documentation Which OAuth 2.0 Flow Should I Use? in part Is the Client a Single-Page App there is:

If the Client is a Single-Page App (SPA), an application running in a browser using a scripting language like JavaScript, there are two grant options: the Authorization Code Flow with Proof Key for Code Exchange (PKCE) and the Implicit Flow with Form Post. For most cases, we recommend using the Authorization Code Flow with PKCE because the Access Token is not exposed on the client side.

I’m not sure that I misunderstood something, but when using SPA with this flow how the token is not exposed on the client side?

marcelina.barycka · June 19, 2024, 2:16pm

Hi there @canyon ,

The language is used rather to showcase that:

with the implicit flow: token received resides in the part of the URL
vs
with the PKCE: You will not find the actual token in the URL.

This is how I see the difference.

canyon · June 20, 2024, 10:18am

I think that this can be missunderstood when reading documentation.

Regardless whether the token is part of URL or part of the request body it is accessible from the request which expose the access token on the client side.

Topic		Replies	Views
Does Authorization Code Flow with PKCE expose the Access Token to the client? Help documentation-request , customer-feedback	4	462	February 22, 2024
How does Auth0 provide authorization code flow in a SPA Help	6	4695	May 9, 2020
OAuth Authorization URL Help configuration , application	3	268	April 29, 2024
SPA with Authorization Code Grant Help authorization-flow	6	11908	August 30, 2019
How to securly handle tokens in SPA Help	8	5858	January 9, 2020

How access token is not exposed on the client side?

Related topics