Do I need PKCE?

 Fantastic question. This gets to the heart of OAuth2/OIDC security—and where web security, browser limitations, and OAuth’s different client types matter.

1. Public vs. Confidential Clients

  • Confidential clients (like backend servers) can keep secrets—they don’t expose them to the user/browser.

  • Public clients (like browser SPAs, native mobile apps) can never keep a real secret—anything bundled in JS, HTML, or shipped to a device is fundamentally accessible to a user or attacker.

2. What do real IDPs do?

  • Browser-based SPAs (e.g. React, Vue, plain JS, Flask-with-templates) are always “public clients.”

    • They either don’t use a secret, or use PKCE (“Proof Key for Code Exchange”) instead of a secret, to avoid leaking secrets in public code.

    • Most modern OAuth providers (Auth0, Google, Okta, Microsoft) require PKCE for SPAs and ignore the client secret in this context.

  • Backend (server-side) clients (e.g. your Flask API gateway if it runs as a real server, not just a static file server) can keep secrets and are “confidential clients.” They can safely send a client_secret in the /token exchange.

3. For Your Setup (MVP):

  • If your Flask API Gateway is acting as a true backend (not just serving JS to the browser) and handles the code/token exchange server-to-server, then using a client secret is okay. The secret is NOT exposed to the browser.

  • If you were to write a pure JS SPA (React, Vue, etc.), you should not use a client secret—only PKCE.

4. How to Know Which to Use?

  • If your Flask app runs on the server and users only interact via browser forms that POST to Flask endpoints:
    ✔️ Safe to use client_secret in server-to-server calls.

  • If you ever expose the secret to JS in the browser:
    Do not do this! Use PKCE and register as a public client.

5. Summary Table

App Type Uses client_secret Uses PKCE Example
Backend Flask API Yes No Your current approach
JS SPA (browser) No Yes* React/Vue SPA
Mobile App No Yes* iOS/Android native

* “Yes” = recommended/best practice.

6. TL;DR for Your Project

  • You are OK to use client_secret because your Flask gateway is not browser code.

  • Don’t ever leak that secret to the client (browser-side JS).

Want to go full Auth0/Okta-style?

  • Add PKCE to support “public clients” in the future.

  • For now, with Flask as backend, this is standard and safe.

Let me know if you want to see a PKCE flow or keep going with the server-based setup!

Comments

Post a Comment

Popular posts from this blog

Feature: Audit log for one login, and identity service

Image
Customer (Product) Page High-Level System Design Diagram (PlantUML) Sequence Diagram: Audit Event Ingestion Sequence Diagram: Orchestration Event For a High-Level System (Component) Diagram The queue is implemented as message_queue (generic), and the audit log service consumes from it, writing to a dedicated audit_log table. The logging service also consumes from the same message_queue and writes to log_store. Orchestration/other services use the same queue. Summary Table: What Writes Where Event Type Goes Into Consumed By Final Storage audit message_queue Audit Log Service audit_log table log message_queue Logging Service log_store table doc_uploaded message_queue Orchestration Worker (business DB, or triggers next event) ocr_ready message_queue Notification Worker, etc. (notification log, etc.)  Core Tables message_queue – universal event bus (temp buffer) audit_log – immutable audit/compliance events log_store – application logs (op...
Read more

Getting started - Build your data science lab environment

This guide explains how to set up a complete data science environment for the udemy program. A proper setup ensures compatibility and avoids recurring environment issues.  1. Overview Goal : Create a full-featured environment with sufficient resources for all course exercises. Recommendation : Use Anaconda for the most reliable setup. Alternative : Use a Python virtual environment with pip if Anaconda isn’t working. 2. Setup Options Primary (Recommended) Create a dedicated Anaconda environment (isolated, compatible). Alternative Use a standard Python virtualenv + pip (faster but less reliable). 3. Windows Setup Steps Clone Course Repository git clone https://github.com/ed-donner/llm_engineering/ Follow the repository’s README.md instructions for additional setup details. Create Anaconda Environment Inside the llm_engineering folder: conda env create -f environment.yml ⏳ This may take several minutes. Activate the environment: conda activate llms Deactivat...
Read more

QA - Run #1 - Results

Image
# QA Report for Tag QA_July2025_A - **Tag/Commit:** QA_July2025_A (`f32abc1`) - **Date:** 2025-08-01 - **QA Outcomes:** All tests passed except for file upload (see below)... - **Environment:** Windows 10, Python 3.12, requirements.txt as of tag - **Notes:** See log for detailed results. ## Issue Found - **Step:** - **Bug:** - **Log excerpt:** - **Screenshot:** For this QA run, we begin with pristine state by: Stop all services Delete logs.db, and jobs.db Delete all files in doc_store folder Start all services Test, you should see no data on index page, and query should result in no data found error Next, go ahead and upload new1.txt, and after that new2.txt Issue the query: "can you summarize all of the todo items you can find, seperating each one on a single line, with due date first, then title, and description with any details you can augment" Expected Answer: - August 1, 2025: Respond to Amira and discuss weekend plans - August 3, 2025: Go to Somesh class and finish ta...
Read more