How access token is not exposed on the client side?

canyon · June 19, 2024, 11:36am

At official documentation Which OAuth 2.0 Flow Should I Use? in part Is the Client a Single-Page App there is:

If the Client is a Single-Page App (SPA), an application running in a browser using a scripting language like JavaScript, there are two grant options: the Authorization Code Flow with Proof Key for Code Exchange (PKCE) and the Implicit Flow with Form Post. For most cases, we recommend using the Authorization Code Flow with PKCE because the Access Token is not exposed on the client side.

I’m not sure that I misunderstood something, but when using SPA with this flow how the token is not exposed on the client side?

marcelina.barycka · June 19, 2024, 2:16pm

Hi there @canyon ,

The language is used rather to showcase that:

with the implicit flow: token received resides in the part of the URL
vs
with the PKCE: You will not find the actual token in the URL.

This is how I see the difference.

canyon · June 20, 2024, 10:18am

I think that this can be missunderstood when reading documentation.

Regardless whether the token is part of URL or part of the request body it is accessible from the request which expose the access token on the client side.

Topic		Replies	Views
How does Auth0 provide authorization code flow in a SPA Help	6	4673	May 9, 2020
Difference between SPA, Regular Web App, and even Native Apps? Help auth0	5	12293	July 24, 2019
Auth0-js with PKCE Help auth0js	12	5458	May 13, 2020
Auth Code + PKCE. Secret VS No Secret? Help jwt , auth0 , pkce	5	4541	April 14, 2021
Authorization code flow without client-secret? Help code	5	12490	December 6, 2019

How access token is not exposed on the client side?

Related Topics