Regarding PKCE, the way I remember it is that OAuth2 was deliberately designed t...

		tptacek 26 days ago \| parent \| context \| favorite \| on: Things I learnt about passkeys when building passk... Regarding PKCE, the way I remember it is that OAuth2 was deliberately designed to eliminate as much actual cryptography as possible, relying instead on same-origin and TLS security; PKCE is one of the few things that introduces an actual cryptography primitive.