JavaScript solution to support Authorization Code flow with Proof Key for Code Exchange in Single Page Applications

The IETF has published new Best Current Practice for OAuth 2.0 in Browser-Based Apps citing use of the Authorization Code flow with Proof Key for Code Exchange for public browser-based apps.

To read about the reasons for this in much greater detail, please check out the OAuth2 Implicit Grant and SPA blog post by Auth0 Principal Architect Vittorio Bertocci.

Auth0 authorization server endpoints already support the features necessary to implement the authorization code with PKCE flow in JavaScript applications, and we are currently working on the best way forward to provide this functionality as a packaged library.

This feature is in active development. This topic will be updated with additional details and supporting documentation when the feature is launched.

This feature is now in public beta!

Please check out this topic to learn more and to participate in this open beta: http://community.auth0.com/t/new-javascript-sdk-for-single-page-applications-in-beta/25087

Help us make this new SDK the best it can be with your feedback!

auth0-spa.js is now launched!

Documentation: https://auth0.github.io/auth0-spa-js/index.html
Blog post: https://auth0.com/blog/introducing-auth0-single-page-apps-spa-js-sdk/ (when and how to use the new SDK in your JS apps)

We just released new FAQ’s on two commonly asked questions about auth0-spa.js . Check them out below!

• Why does the Auth0Client object take a long time to initialize?

• Why do I get an “invalid algorithm” error?