Add PKCE Support to the OAuth2.0 Authorization Code Flow
I am currently developing a native Android application for Twitch and want to make use of the OAuth2.0 API. Since the Twitch Authorization Server doesn't seem to support the PKCE (Proof Key for Code Exchange), i will have to put my client secret into my native application, which isn't secure at all, because the app can easily be decompiled.
This is a requirement for all native apps, as stated by the IETF in RFC 7636 (https://tools.ietf.org/html/rfc7636).
I hope to see this implemented soon, because this poses a huge security risk for all native apps and their developers.
Someone please implement this soon!
IEFT best practices REQUIRES PKCE for public clients (e.g. Standalone Applications) and is RECOMMENDED for confidential clients (e.g. Web Server). Twitch should transition away from implicit authorization to PKCE Authorization code flow.
Absolutely required, the only options (AFAIK) are to use implicit flow which has inherent risks when using the access token for API calls or to expose the client secret.
PKCE is vital to ensure public client applications can be secured!