What authorization flows are recommended for extensions?

[Likely Logic]

Hi all,

Just about to grapple with auth flows for our extension.

Looking at Authorization Code flow, it looks like the client id and secret would need to be embedded in the extension code bundle, which by all accounts is a security risk.

Authorization Code Flow with PKCE looks to work round this, but has additional steps.

Yet another suggestion was to use Authorization Code Flow but place the client id and secret on the server, and have the extension go via this proxy endpoint. 

I don't have enough experience with this kind of thing to know which is which, so just putting this out there to ask what everyone else is doing, and why.

Thanks in advance.

Cheers,

Dave

[Likely Logic]

For anyone following in my footsteps, we went with PKCE and used chrome.identity.launchWebAuthFlow() for a seamless user experience where a window pops up and the login is done there. 

[Kos]

Same, but Google haven't approved it because they think Google account can be used only with native `identity` flow :( What a bad bad Google

[Likely Logic]

Ah. We are using Laravel Passport and the user logs in on our own domain, in the popup.