You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'd like to know, if deliberately not using PKCE in a mobile app intended for public release is still ok?
I have successfully implemented both methods, was fully committed to go for PKCE until I found out the refresh token can only be used once, after which the whole authorization process has to be repeated.
Non-PKCE auth flow, on the other hand, does not suffer from this limitation. I assume the PKCE requirement is for added security, but from the UX perspective, I definitely prefer not to bother users with constant authorization requests.
The text was updated successfully, but these errors were encountered:
Hello,
I'd like to know, if deliberately not using PKCE in a mobile app intended for public release is still ok?
I have successfully implemented both methods, was fully committed to go for PKCE until I found out the refresh token can only be used once, after which the whole authorization process has to be repeated.
Non-PKCE auth flow, on the other hand, does not suffer from this limitation. I assume the PKCE requirement is for added security, but from the UX perspective, I definitely prefer not to bother users with constant authorization requests.
The text was updated successfully, but these errors were encountered: