PKCE extension for OAuth authorization code flow

Currently Twitch provides authorization code and implicit code flows, but neither of them is secure outside of a browser (and the implicit code flow is also inconvenient as it requires opening a browser to renew a token).
The recommended way for native apps is PKCE which basically makes it possible to use a client-generated “code verifier” instead of a client secret.

P.S. I found this article that I think is good at explaining what’s wrong with using either flow without PKCE

The page on on implicit flow also states that PKCE should be used instead (and implicit grant type is discouraged even for browser-based apps) and provides links to a few other articles on the topic.
OAuth 2.0 Implicit Grant Type

To clarify: lack of PKCE support seems like an important security issue for native (mobile and desktop) apps using Twitch APIs.
So I’d like to hear what Twitch position on this is and whether they are going to implement PKCE or not.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.