Docs show that client side web apps are a key use case and shouldn't require a client secret and should use PKCE.
auth0.com/docs/get-sta...
07.03.2026 22:39
π 0
π 0
π¬ 0
π 0
Docs show that client side web apps are a key use case and shouldn't require a client secret and should use PKCE.
auth0.com/docs/get-sta...
@dynamicwebpaige.bsky.social know anyone who might be able to help?
I'm trying to build an OSS, Google colab style notebook (web.runme.dev). This is intentionally designed to not require a backend to view/edit notebooks stored in drive. So the PKCE flow happens entirely in the browser.
Trying to convince folks that a client secret is not a secret is a tremendous lift. Not at all helped by Google's docs advising in multiple places that client secrets should be protected as secrets.
I suspect many developers have burned hours on this.
Cc @developers.google.com
Nice writeup of the issue.
ktaka.blog.ccmp.jp/2025/07/oogl...
Are there any Googlers who can confirm if this is by design and not a historical artifact?
From a technical/security perspective I think client secrets aren't secrets and you can distribute them in your app just like a client ID.
It is frustrating/baffling to me that electron apps can't be distributed as web apps. I don't understand why browsers force you out of the browser to run a webapp that talks to a colocated, custom server.
Does anyone know if Google OAuth requires a client_secret for the PKCE flow?
If I don't include a client_secret I get a token exchange fails with 400 client_secret is missing.
Is there some user magic words to trigger a PKCE flow without requiring a client secret? My client is for web.
The presumption is that experienced engineers achieved that through mentorship. While this is undoubtedly true for some folks I think a lot of folks learned by just trying stuff and seeing what worked and what didn't.
As a developer why would you want to use a framework whose tests are closed source and not accessible to an AI? The value prop of PAAS was that IAAS was velocity and reliability. You paid a markup for it. Maybe AI + IAAS is a better value? Not sure walling off your tests is going to prevent that.
Are you building your own agent harness? Did you consider supporting existing harnesses such as Claude and Codex?
Did you try creating an environment and configuring the network access to allow it?
For me codex (app + 5.3) is an inflection point. I have enough confidence in the AIs coding ability to focus more on design and testing. Concretely; iterating with the AI on design docs and CUJs. CI generates videos of CUJ walkthroughs making it easy to verify tests do what they claim.
Your right that I don't understand TS/REACT syntax in the same way I do GoCode. I almost certainly couldn't write it by hand. I'm not sure I care though; I'm tired of wasting my heartbeats getting persnickety machines to do what I want. I just want to build the app in my head quickly
I've been developing a Google colab like notebook which I could only do thanks to codex. This has been a great tool for learning frontend and the web platform. More importantly it's let me focus more on thinking about the business problem I'm trying to solve and how to get people to adopt it.
AI could be the tower of babel for tech companies. Before AI you needed to pool human capital to build something noteworthy. This was a strong incentive to pay the high cost of consensus building. With AI you can get much further by oneself. But that only postponed the reckoning.
It's Feudalism just by a different name.
Appreciate you being a tech leader willing to state the obvious.
As I watch what's happening in Minneapolis and around the country ; to me the immediate risk of AI is that it's consolidating power and wealth in the hands of tech executives that willingly endorse what's happening as long as they get their GPUs.
To all my new England friends.
It's 61 degrees and sunny in the bay.
Twitter died a long time ago and X isn't worth it. Before I made the jump, my ego was holding me back. I was too concerned with vanity metrics. I finally realized if you're posting stuff people want to follow, then they'll follow you, even when you leave. www.siliconrepublic.com/enterprise/k...
Police Repeatedly Shoot Tim Cook After Mistaking iPhone For Gun
Police Repeatedly Shoot Tim Cook After Mistaking iPhone For Gun https://theonion.com/police-repeatedly-shoot-tim-cook-after-mistaking-iphone-1824184361/
One of the best things Iβve read in a while:
I work in tech. I emailed my leadership letting them know I hope they acknowledge the events in Minneapolis and take a position. Small as it is; there was a time when I wouldn't have had to ask. I don't know how but I want to try to hold tech accountable.
Can you share a list of attendees
Immigration is key to AI and tech. Tech isn't shy about fighting for its interests (e.g. net neutrality). The tech industry should be at the vanguard because AI companies are one ICE raid away from disaster.
This is ok tho
I think the market keeps wanting to believe things haven't changed but they have. We are very clearly in an era where the president is willing to go after anyone, any country or any company that displeases him. The volatility should scare most investors.
www.nytimes.com/2026/01/21/b...
Based on this post; the coin creator pumps up the initial value with their own money to entice the OSS maintainer to claim their coin. This is intended to incentivize the OSS person to then start promoting it. Which is what happened here.
www.seangoedecke.com/gas-and-ralph/
That didn't take long
I don't understand the argument that acquiring Greenland is vital to our national security. I can't think of anything more dangerous and a bigger gift to Russia and China than the fracturing of NATO.
How are these clowns in charge?
www.nytimes.com/2026/01/20/u...
@gomez.house.gov what can we do to show our support for your bill
gomez.house.gov/news/documen...