Thanks for the interesting writeup. One note: you mentioned would follow the new OAuth guidelines, which is great! However, I think you use the code grant type with PKCE and not PKCE alone.
You're welcome:) Good catch, you're right. It's the default when you use Auth0's client lib for SPAs.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.