A big change I’m seeing is this:
All IndieAuth clients MUST use PKCE (
RFC7636) to protect against authorization code injection and CSRF attacks. A non-canonical description of the PKCE mechanism is described below, but implementers should refer to
PKCE stands for “Proof Key for Code Exchange”. This is a new hard requirement and it explains why I couldn’t sign into clients like Aperture or Monocle. Let’s patch that up!