OAuth 2.0 + PKCE Explained — What's Actually Happening When Your React App Does a Login Redirect If you've wired up OAuth login in a React app using a library like react-oauth/google, oidc-client-ts, or Auth0's React SDK — you've used PKCE without probably realising it. But knowing what's happening under the hood matters — especially when things break in prod or you're making architecture decisions about where to handle auth in your app. The video covers: - Why React SPAs are public clients and can't safely store a client_secret - The auth code interception attack and exactly why PKCE was introduced to fix it - What code_verifier and code_challenge (SHA-256) are doing before your redirect - The full Authorization Code Flow — from login button click to Bearer token in your app - How your React frontend and backend API share responsibility in the flow Useful context before reaching for any OAuth library, or if you're debugging why tokens aren't coming back as expected.…