Auth0 Home Blog Docs

PKCE support for SPA

spa
pkce
authorization-code

#1

Are you planning to support recommendations given in https://tools.ietf.org/id/draft-parecki-oauth-browser-based-apps-00.html?

Auth0.js does not support Authorization Code flow or the PKCE feature. Would like to see a commitment for supporting that.

Until further, we are looking into using Appauth-js instead, and marking our SPA as Native to get the PKCE support. Is this a valid approach in your opinion?


#2

Correction: We will not need to falsely mark the SPA as Native in order to get the PKCE codes verified by Auth0. It seems that Auth0 validates PKCE when present, regardless of application type. The documentation had me believe otherwise…


#3

Seems also that Auth0 does not support the response_mode “fragment” for Authorization Code Grant. This makes it less suitable for implementing Auth Code Grant for a browser based application (like a SPA), where you want the “fragment” mode and not “query” mode.