If you've used things like Google Sign In, Twitter authentication or GitHub authentication (to name a few common examples), or enabled integrations...
For further actions, you may consider blocking this person and/or reporting abuse
It's good to see someone talking about OAuth. I feel like OAuth in general is in this kind of awkward place where most devs will almost certainly have to deal with it at some point, but it's complex enough that people will usually just kind of fiddle with it until they can make what they're trying to do work, and then promptly forget all about it until the next time they need it. I know that's definitely how I felt about it until I got a project that kind of forced me to dive deeper into it.
That being said, while you do a good job of explaining the flows, I think it's a bad idea to represent the implicit grant as the "default" OAuth flow or even to really encourage people to use it at all, given that the same OAuth 2.0 Security Best Current Practice document you linked has this to say about it:
Yeah, using PKCE definitely helps, but people still really shouldn't be using the implicit grant unless they absolutely need to. The Authorization Code grant is both more secure by default and significantly more common in the wild (in my experience, at least), and there's no reason you can't use it if you're building a typical web app.
Do you know if Keycloak is already supporting it?
I'm not personally familiar with keycloak but I was able to find a this thread by doing a search on their site which seems to show there was at least a branch that supported PKCE as of last year. lists.jboss.org/pipermail/keycloak...
Thanks for your research :-)
PKCE is supported in KeyCloak in Implicit flow only, currently still being worked on to apply to all flows.
Ah, thanks :-)