Public clients are implicitly authenticated by their ownership of the registered redirect_uri. This why it’s important to use a redirect_uri for which ownership can be reasonably established, such as HTTPS endpoints with exact URI matching.
There are more things that can go wrong with that (see the security BCP), but it can be made reasonably secure. — Neil > On 14 Feb 2021, at 13:48, Stoycho Sleptsov <stoycho.slept...@gmail.com> wrote: > > > I would like to add my reasons about the "Why are developers creating BFF for > their frontends to communicate with an AS", > with the objective to verify if they are valid. > > I need the client app. to be authenticated at the AS (to determine if it is a > first-party app., for example). > If we decide to implement our client as a frontend SPA , then we have no > other option except through a BFF, as PKCE does not help for authentication. > > Or is it considered a bad practice to do that? > > Regards, > Stoycho. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- ForgeRock values your Privacy <https://www.forgerock.com/your-privacy> _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth