I’m developing a Figma plugin for which I need user authentication. I immediately found the article concerning OAuth with Plugins. It recommends to use PKCE if it’s supported by your auth provider, but then goes ahead an gives an example of another use-case. But since I still can’t redirect back into a Figma Plugin I believe I need some sort or intermediate step, which isn’t part of a “normal” PKCE flow. So I sat down and tried to draw up how such a flow could look like. I would really love some feedback on this flow or if you see any flaws in it, since I’m not much of a security guy.
