I want to integrate OAuth with a thick client which doesn't have browser support. I have read Okta documentation & it says Device Code flow is the recommended one. However, few online forums (including ChatGPT) say to use Authorisation Code flow with PKCE.
Could you please guide which one is better & why? Thanks in advance.
Assuming you mean a desktop app, then the standard option is to use a native apps solution, as defined in RFC8252, which runs a code flow + PKCE.
This involves spinning up a system browser to do the login, so that the application never gains access to the user's credentials. The app then receives the response by listening on a local URL for the browser response. My blog post shows what this might look like, though the user experience is not perfect.
The device flow is instead used in scenarios where a device with limited user input capabilities needs to get tokens and call an API. An example might be a smart TV, that starts the flow, presents a code and authentication URL to the user, then polls the authorization server. The user then authenticates using a mobile app or desktop computer. That is probably not the behaviour you want though.