Mobile + API
In this scenario you have a mobile application ("Client") which talks to an API ("Resource Server"). The application will use OpenID Connect with the Authorization Code Grant using Proof Key for Code Exchange (PKCE) to authenticate users. Note that this flow can only be used for Clients whose type is Native in the Dashboard.
When a user logs in, Auth0 will return to the application an
id_token, and optionally a
access_tokenis used to securely call the API on behalf of the user.
id_tokenis consumed only by the client and contains user profile data. Alternatively the user profile can be obtained by calling the
/userinfoendpoint in the Auth0 Authentication API with the
access_token(provided that the API for which the
access_tokenis issued, uses
RS256as signing algorithm).
refresh_tokencan be used in order to obtain a new
access_tokenwhenever a previous one expires. Note that a
refresh_tokenwill only be present in the response if you included the
offline_accessscope and enabled Allow Offline Access for your API in the Dashboard.
The application will usually store the information about the user's session (i.e. whether they are logged in, their tokens, user profile data, and so forth) inside some sort of Local Storage on the mobile device.
The following is a list of articles on this website which will help you to implement this scenario: