[snarfed][amit] i've forgotten what IndieAuth's equivalent of the OAuth PKCE flow is for avoiding client secret in JavaScript, but you'll need to do that instead of the normal three-legged OAuth flow. which then means your client will only support authorization endpoints that support that
