I have a web app that uses OAuth2's Implicit Grant to authenticate.
I'd like to be able to keep my session active for a long time, using refresh tokens. But since I can't securely store a client_secret in a web app, I can't use the traditional Authorization Code grant.
Is it safe to use PKCE in place of the client_secret, or am I losing some level of security in doing so?
Yes. While PKCE is more secure than NOT using it; the Implicit Grant with PKCE still leaves the Access Token may be exposed to the Resource Owner and perhaps other applications residing on the same device.
PKCE primarily protects from when the attacker intercepts the authorization code returned from the authorization endpoint within a communication path not protected by Transport Layer Security (TLS).
Implicit Flow is only suitable for OAuth Client applications that are browser based or JavaScript NOT Mobile Devices or other Applications that could use a Authorization Code Grant