What is PKCE and why every OAuth app should use it

OAuth 2.0 introduced a flexible framework for delegated authorization, evolving over time to address emerging security concerns, leading to the introduction of Proof Key for Code Exchange (PKCE) as an enhancement to the Authorization Code Flow, particularly for public clients like single-page applications and mobile apps. With OAuth 2.1, PKCE has become mandatory for all applications, including confidential clients, due to its ability to protect against code interception attacks and ensure a consistent and universal security model. PKCE works by adding parameters such as code verifier and code challenge, offering additional safeguards beyond client secrets, and is recommended for both public and server-side apps. Despite OAuth 2.1 being a draft, adopting its guidelines ensures compatibility with current servers, enhances security, and aligns with future standards. WorkOS supports OAuth 2.1 adoption by providing a platform that incorporates modern security practices, enabling developers to focus on user experience while ensuring secure authentication processes.