Which one is more safe for the web app with server, PKCE Flow or standard Authorization Code Flow?

Question

It is known that PKCE Flow is good solution for SPA or native app, rather than the standard Authorization Code Flow. However for the web app with server ("confidential client" as defined in RFC 6749), which one is more safe?

As mentioned in this post, "PKCE is all about verifying that the client that initiated the initial authentication request is also the same that uses the authorization code to get the real tokens."

How can Authorization Code Flow with PKCE be more secure than Authorization Code Flow without client_secret

However PKCE cannot involve client credentials (client_secret), which is used in the Authorization Code Flow to make sure the requester is the authenticate client.

So seems the standard Authorization Code Flow is more safe than PKCE Flow, for the web app with server (confidential client).

Nor sure is this unstanderding correct? Because we can see in the latest oauth2.1 draft it seems prefer PKCE, as it says "PKCE is required for all OAuth clients using the authorization code flow".

https://oauth.net/2.1/

Update on May-13 2021: Actually the oauth 2.1 suggests authorization code flow plus PKCE parameters, not using PKCE instead of authorization code flow.

Amazon and Microsoft have followed the suggestion in their spec.

https://developer.amazon.com/zh/docs/login-with-amazon/authorization-code-grant.html

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

Thanks all

Answer 1

You can refer to this document>> https://fusionauth.io/blog/2020/04/15/whats-new-in-oauth-2-1 and references for more details. The answer to your question is >> PKCE is safer than a normal Authorization code grant or any other grant.