Nice work by Justin Richer: https://medium.com/@justinsecurity/mobile-apps-and-oauths-implicit-flow-68e72c6515a1 Not OpenID Connect specific, but applies... - Mike S.