This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
This is just a proposal so far, it hasn't been accepted and needs further discussion.
In certain cases, the specs would require us to differentiate between client types (if a client secret has been issued or not). Because we are not supporting all flows, this could be simplified. This mainly comes down to requiring a client secret to be passed or not when creating an auth code or tokens.
- Client secret is required if not using PKCE
- Never require client secret
- Add client type that has to be specified during client creation
Chosen option: Client secret is required if not using PKCE
- Works with all the flows we support
In case of refresh: we require the client secret if the tokens weren't created using PKCE In all other cases: we require the client secret if the current flow isn't using PKCE