Have we considered replacing the device_code logic with PKCE now that
PKCE exists? At the time we started this spec I'm not sure PKCE was
around, but now that it exists and is required (practically speaking)
for mobile apps, should we look at using it instead of device_code to
protect this flow
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : OAuth 2.0 Device Flow for Browserless and Input
Constrained Devices
Authors : William Denniss
