I was reseating OAuth docs and understand that https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce is better than Authorization Code Flow, because it gives less possibility to get clients code and exchange it for access_token
Also I saw that there were cases in the internet when client secrets where reversed from big mobile applications like facebook or twitter
So for me it is still not clear how to get client identity implemented properly e.g. if I use resource owner grant type I have client id and client secret stored in my app and this can be reverse engineered and anybody can build the same application as mine
if I use Authorization Code Flow with Proof Key for Code Exchange I still don't have any secret inside my app. So it means that any developer can built his own app that will be mirror of my app.
So the question if there any wasy to implement client identity properly for mobile app and pure JS (browser) clients ?
UPDATE there are 2 great options 1 - use redirect urls 2 - setup CORS
1 howerer I think it will not help if I will try to mimic bahaviour with back-end code. E.g. I don't really need to have access to web site to see that at some point it will give redirect in header and I just get the message and have this authorization code 2 the same for CORS in case for my mirror site I will do getting token from backend the server will not identify that client is not the original and that has rights to work with this client
