Mobile Authorization Code Flow

• Advantages of the authorization code flow
  • For third-party clients
    • Protects the user’s credentials from being accessed or misused by the client
    • Confirms the user’s presence when authenticating
  • For all clients (first-party or third-party)
    • Improved authentication options can be added without requiring changes to any clients, and without requiring an App Store/Play store release. For example: 2 factor auth options, social options, passwordless email and SMS options, passkeys
    • Client identity verification is possible to some level using verified redirect URLs (see below)
• No client secret: secrets cannot be used, because native mobile apps are public clients [ref]
• PKCE: should be used so that if a third party intercepts the authorization code, they will be unable to use it to retrieve an access code [ref]
• Recommended secure embedded browser APIs should be used for displaying the login flow [ref]
  • iOS: ASWebAuthenticationSession
  • Android: Chrome Custom Tabs
• Verified HTTPS redirect URLs should be used for redirecting back to the mobile app, rather than a custom mobile URL scheme. [ref] [ref]
  • This is because custom URL schemes can be used by multiple apps, whereas HTTPS URLs need to be verified to Apple and Google in order to be used. This provides some level of verification that the app receiving the authorization code is an approved client.

Resources

• Udemy Course: OAuth 2.0 Simplified (paid)
• Site: OAuth 2.0 Simplified (less comprehensive than the course)
• Site: OAuth Community Site
• Video: What’s the Difference Between Confidential and Public Clients?
• Non-IDP-specific libraries (for when the IDP does not have their own well-supported library)
  • iOS: AppAuth-iOS
  • Android: AppAuth-Android
  • React Native: expo-auth-session