JavaScript solution to support Authorization Code flow with Proof Key for Code Exchange in Single Page Applications
The IETF has published new Best Current Practice for OAuth 2.0 in Browser-Based Apps citing use of the Authorization Code flow with Proof Key for Code Exchange for public browser-based apps.
To read about the reasons for this in much greater detail, please check out the OAuth2 Implicit Grant and SPA blog post by Auth0 Principal Architect Vittorio Bertocci.
Auth0 authorization server endpoints already support the features necessary to implement the authorization code with PKCE flow in JavaScript applications, and we are currently working on the best way forward to provide this functionality as a packaged library.
This feature is in active development. This topic will be updated with additional details and supporting documentation when the feature is launched.