# Security

## Authentication of Client Application

The Auth Link API supports the plain Authorization Code Flow (RFC 6749) for confidential client applications (e.g. web app with a server side) and the PKCE (RFC 7636) extension for public client applications (e.g. Single Page (web) App or native mobile application).

### **Confidential Client Applications**

The only requirement is that in the Authorization Code Exchange (POST `/token` endpoint) the `client_secret` parameter is given.

### **Public Client Applications**

To implement the PKCE extension the `code_challenge` and `code_challenge_method` parameters must be passed in the initial Authorization Request (GET `/link` redirect).

Then, the `code_verifier` field must be given on the Authorization Code Exchange (POST `/token` endpoint).

A good guide on PKCE can be found [here](https://aaronparecki.com/oauth-2-simplified/#single-page-apps).

### WebView considerations

When embedding the Auth Link UI within a WebView you may choose to restrict access to only origins that match: `https://*.open-utilities.com`