WunderGraphApp Security
At WunderGraph, we take your app security seriously.
The implicit flow is widely considered insecure. It introduces various attack vectors, in that the implicit flow does
not make use of the /token endpoint. Rather, the access_token and id_token would be returned directly via a
redirect to a callback url.
For SPAs, we have implemented the Authorization Code flow with Proof Key for Code Exchange alongside Refresh Token Rotation.
Authorization Code Flow
Typically used for server side apps, but the Authorization Code flow is more secure than implicit flow, because you are
provided with an authorization code which you need to exchange for your access_token and id_token.
This is exchanged by performing a POST request to the token endpoint. SPAs cannot securely store client_secrets. In
this regard, the SPA can allow a user to authenticate with just a client_id and valid redirect_uri.
