Security Considerations

4.5

If an app wants to use the authorization code grant but can’t protect its secret (i.e. native mobile apps or single-page JavaScript apps), then the client secret is not required when making a request to exchange the auth code for an access token, and PKCE must be used instead. However, some services still do not support PKCE, so it may not be possible to perform an authorization flow from the native app itself, and the native app may need to have a companion server-side component that performs the OAuth flow instead.

While the OAuth 2.0 spec does not specifically require that redirect URLs use TLS encryption, it is highly recommended. The only reason it is not required is because deploying an SSL website was somewhat of a hurdle for many developers at the time the spec was written. Some APIs do require HTTPS for their redirect endpoints now that deploying HTTPS has become much easier.