The Authorisation Code Flow described here, and on the linked detail page, omits to mention that a client secret must also be passed to the auth endpoint. If just an authorisation code and (public) client ID are sufficient to authorise, then the setup is vulnerable to a malicious browser: As soon as the auth endpoint sends the redirect containing the auth code, the browser can use that and the client ID to authorise itself.
In fact, the linked detail page for this flow even shows a full example HTTP POST request that omits any such client secret.
Is the intention that the "client ID" by itself is a secret (known only to the app)? If so, that should definitely be mentioned explicitly!
In fact, the linked detail page for this flow even shows a full example HTTP POST request that omits any such client secret.
Is the intention that the "client ID" by itself is a secret (known only to the app)? If so, that should definitely be mentioned explicitly!