Native mobile applications can use native or browser-based login flows.
In a browser-based login flow, the user is shown a web browser and redirected to the Auth0 login page for sign up or log in. For example: an iOS application opens a SafariViewController or an Android application opens a Custom Chrome Tab.
With a native login flow, the user signs up or enters their credentials directly into the app.
Regardless of which option you choose, Auth0 supports either.
Native embedded login
If you prefer to embed your own login pages within your native/mobile app, you can implement our login widget, Lock, directly into your app with:
Examples of native apps with embedded login:
Phishing/security concerns: an unauthorized party could decompile or intercept traffic to/from your application to get the Client ID and authentication URL. With this information the unauthorized party could create a rogue application, upload it to an application store, and use it to phish for usernames, passwords, and Access Tokens.
SSO: users have to enter their credentials for each application.
Can implement SSO with native apps by storing refresh tokens on a shared keychain, but this is not compliant with the OAuth 2.0 specifications.
Takes more time to implement
No automatic improvements when Auth0 adds new features, have to update app code to take advantage of new features vs UL
Not compliant with OAuth 2.0 best practices
RFC 8252 OAuth 2.0 for Native Apps: authorization requests from native apps should only be made through external user-agents, primarily the user's browser
Native social login
You can add functionality to your native app letting users authenticate with social identity providers natively, within the application:
Sign In with Apple:
Limits are only applied to requests related to the Native Social Login flows, which are identified based on the body of the requests with the following initial criteria:
Limits for production tenants of paying customers
|Any native social login request
|50 per minute with bursts up to 500 requests
Limits for non-production tenants of paying customers and all tenants of free customers
|Native social login requests and IP
|30 per minute