Calling APIs from Mobile Apps
In order to access an API from a mobile app, you need to implement the Authorization Code using Proof Key for Code Exchange (PKCE) OAuth 2.0 grant. In this document we will see how this flow works.
Overview of the flow
The Authorization Code Grant has some security issues, when implemented on native applications. For instance, a malicious attacker can intercept the
authorization_code returned by Auth0 and exchange it for an Access Token (and possibly a Refresh Token).
The Proof Key for Code Exchange (PKCE) (defined in RFC 7636) is a technique used to mitigate this authorization code interception attack.
With PKCE, the Client creates, for every authorization request, a cryptographically random key called
code_verifier and its transformed value called
code_challenge, which is sent to Auth0 to get the
authorization_code. When the Client receives the
authorization_code, it will send the code and the
code_verifier to Auth0's token endpoint to exchange them for the requested tokens.
The native app initiates the flow and redirects the user to Auth0 (specifically to the /authorize endpoint), sending the
Auth0 redirects the user to the native app with an
authorization_codein the querystring.
The native app sends the
code_verifiertogether with the
client_idto Auth0. This is done using the /oauth/token endpoint.
Auth0 validates this information and returns an
access_token(and optionally a
The native app can use the
access_tokento call the API on behalf of the user.
NOTE: In OAuth 2.0 terms, the native app is the Client , the end user the Resource Owner, the API the Resource Server, the browser the User Agent, and Auth0 the Authorization Server.
How to implement the flow
For details on how to implement this using Auth0, refer to Execute an Authorization Code Grant Flow with PKCE.
Rules will run for the Authorization Code (PKCE) grant. If you wish to execute special logic unique to the Authorization Code grant, you can look at the
context.protocol property in your rule. If the value is
oidc-basic-profile, then the rule is running during the Authorization Code grant.
For details on how to implement this, refer to Execute an Authorization Code Grant Flow with PKCE: Customize the Tokens.
- Execute an Authorization Code Grant Flow with PKCE
- How to configure an API in Auth0
- Mobile/Native App Quickstarts
- Client Authentication for Mobile & Desktop Apps
- Authentication API: GET /authorize
- Authentication API: POST /oauth/token
- The OAuth 2.0 protocol
- The OpenID Connect protocol
- Tokens used by Auth0
- RFC 6749 - The OAuth 2.0 Authorization Framework
- RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients