Why "Log in with Google" never sees your password (PKCE, explained)

Ever wondered how "Log in with Google" works without the app ever touching
your password? That's OAuth 2.0 — and on mobile apps and SPAs, the piece that
makes it safe is PKCE (Proof Key for Code Exchange).

The problem PKCE solves: a public client (a mobile app or SPA) can't keep a
secret. So an attacker who intercepts the authorization code could exchange it
for a token.

PKCE fixes this with a simple trick:

1. The app generates a random "code verifier"
2. It sends a hashed version (the "code challenge") when starting login
3. To redeem the code, it must present the original verifier

An intercepted code is useless without the verifier that only the real app has.

I broke down the whole flow step by step — what each value does and the exact
attack it prevents:

👉 https://www.orbittest.dev/blog/oauth-authorization-code-flow-pkce

Are you using PKCE in your SPA/mobile auth today?