0

You want to securely implement the Authorization Code Flow in a single-page application (SPA). Which approach best protects the authorization code from interception?

hard🚀 Application Q8 of Q15

Rest API - Authentication and Authorization

You want to securely implement the Authorization Code Flow in a single-page application (SPA). Which approach best protects the authorization code from interception?

ASend the authorization code via URL fragment (#) instead of query

BUse PKCE (Proof Key for Code Exchange) with the flow

CStore the authorization code in localStorage immediately

DSkip the authorization code and use implicit flow

Step-by-Step Solution

Solution:

Step 1: Understand SPA security risks
SPAs cannot securely store client secrets, so PKCE is used to protect the authorization code exchange.
Step 2: Identify best protection method
PKCE adds a code verifier and challenge to prevent interception and replay of the authorization code.
Final Answer:
Use PKCE (Proof Key for Code Exchange) with the flow -> Option B
Quick Check:
PKCE secures SPA authorization code flow [OK]

Quick Trick: Use PKCE to secure authorization code in SPAs [OK]

Common Mistakes:

MISTAKES

Thinking URL fragment hides code securely
Storing code in localStorage exposes it
Using implicit flow is less secure nowadays

Master "Authentication and Authorization" in Rest API

9 interactive learning modes - each teaches the same concept differently

Learn Why Deep Visual Try Challenge Project Recall Time

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions

More Rest API Quizzes