Ask HN: Why woudn't GitHub support PKCE for OAuth?

1 points by brailsafe ↗ HN
The GitHub API currently supports the Device Flow for apps intended to be deployed on platforms that don't have their own input method, but explicitly doesn't support the PKCE extension to OAuth 2. In a number of easily found community discussion threads, it seems the team has opted instead to update the documentation to note that it isn't supported, rather than elaborating on any plans to do so in the future or explanation for it's absence.

Somewhat ironically (based on my limited understanding of that codebase and OAuth itself), the GitHub Desktop repo ships a developer client_secret in their codebase.

Without PKCE, the Device Flow seems to be the only way to authorize a public application to act on a user's behalf directly with the resource server, with no intermediary proxy server used only to hide the client_secret. This adds complexity and cost to what is already a multi-step exchange.

Are there any reasons they'd be hesitant to do so, other than lack of priority?

0 comments

[ 2.4 ms ] story [ 9.4 ms ] thread

No comments yet.