Hi Albin,
It’s important to note that PKCE does explicitly prohibit
client_secret, just offers a secure way of obtaining an access token
when it’s impossible for a client_secret to be kept secret, as would
be the case with a mobile application. The type of attack it prevents
against is during the
Hi all,
I was looking around for guidance around how to refresh access tokens on
native mobile experiences.
Suppose we’re using a normal OAuth auth code flow with a mobile app (Chrome
custom tabs/ASWebAuthenticationSession and all). Also, want to reduce the
interruptions to the end user.
In gene
