top | item 46362867

(no title)

ximm | 2 months ago

I also think these are very similar. The main difference in my view is that the state parameter is checked by the client, while PKCE is checked by the server.

I run an authentication server and requiring PKCE allows me to make sure that XSS protection is handled for all clients.

discuss

No comments yet.