Thanks to Vittorio Bertocci for this excellent blog post. Like (perhaps) many others, I noticed the 2018 change in the OAuth2 Working Group’s recommendation regarding the use of the Implicit flow for web SPAs, and it concerned me greatly at the time. Like (very probably) many others however, I had a hard time conceptualizing how to adopt ‘Authorization Code Grant w\PKCE’ within a SPA. It’s semi-easy to imaging how it might be done, but very hard to implement without the use of refresh tokens. Also, the working group recommendation provides no helpful ‘next steps’ (or pointers to any).
This article provides a very nice wrapper around the subject of ‘should I switch from Implicit Flow to ACG+PKCE?’, and also provides some concrete steps regarding how one can make that decision, and actually begin to make the switch.
Many thanks to Auth0 and to Mr. Bertocci.