|
|
|
|
|
|
|
|
|
|
|
| |
I am using a hybrid flow with "id_token" for OpenID Connect and "code" for an
Authorization Code. I would use "token" too but that doesn't seem to be
supported for standard web-apps and could result in strange session-hijacking
issues.
We still need PKCE sometime in the future; however it's not a priority: the
worst attack someone could pull off is to use a different user's Authorization
Code and steal a Department, which probably isn't too big of a deal as the
Authorization Code should be secret anyways.
|