I have a purely hypothetical situation, but I want to understand better why auth0 does not let you block a certain api for a certain spa with a simple on/off option.
Let’s say I have 2 SPA and 2 APIs, spa-a with api-a and spa-b with api-b. I don’t want want spa-a to be able to get a token for api-b, and spa-b to get a token for api-a.
If you go on the settings of the api you can set this kind of restriction for m2m but for spa and native you can’t. So, my question is, how does the PKCE flow help us in this kind of situations as per:
Single Page and Native apps do not require further configuration. They both can execute Authorization Code Flow with PKCE
I understand that we can add actions to block a client id for a certain api, and also have a list of whitelisted clients on the backend, but my question is purely related to this indication, how does PKCE help us in this way and why does auth0 consider that this kind of yes/no permission for spas and natives is not needed. I am just starting with authentication so I am sure that I am missing something.
Thank you!