Hi Jeremy, thanks for responding.
I know there is really nothing new that makes the Implicit flow worse than before. Still, these discussions I feel give more weight to those (including me) who feel that the Implicit flow is not a good idea. Especially so when we are building a new application. In the words of some security experts, the Implicit flow is to be regarded as deprecated. And I agree with what the recommendations aim for.
I also appreciate that there will be some time until it consolidates into a solid (standard) approach to implement for AS/IP like Auth0.
But as we are building a new system, and the use of Authorization code flow with PKCE is not that far off, I want to recommend we take that path. At least as an intermediate solution. There might even be a way for us to move all token handling to server side, but that is farther down the road.
So now I know you will wait for the discussions and recommendations to settle.
I made a proof of concept converting the Auth0 example SPA app to Auth code/PKCE using the AppAuth.js library. The only quirk was that response mode did not support “fragment” for Auth code grant type.
In your opinion are there any strong arguments against going with this approach?
And would you please consider supporting response mode “fragment” for Auth code grant type?