Mobile Login Flow
During authentication, mobile/native applications can use the OAuth 2.0 Authorization Code Flow, but they require additional security because they:
- Cannot securely store a Client Secret. Decompiling the app will reveal the Client Secret. The Client Secret is bound to the app and is the same for all users and devices.
- May make use of a custom URL scheme to capture redirects (e.g., MyApp://) potentially allowing malicious applications to receive an Authorization Code from your Authorization Server.
To mitigate this, OAuth 2.0 provides a version of the Authorization Code Flow which makes use of a Proof Key for Code Exchange (PKCE) (defined in OAuth 2.0 RFC 7636).
The PKCE-enhanced Authorization Code Flow introduces a secret created by the calling application that can be verified by the authorization server; this secret is called the Code Verifier. Additionally, the calling app creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. This way, a malicious attacker can only intercept the Authorization Code, and they cannot exchange it for a token without the Code Verifier.
How it works
Because the PKCE-enhanced Authorization Code Flow builds upon the standard Authorization Code Flow, the steps are very similar.
- The user clicks Login within the native/mobile application.
- Auth0's SDK creates a cryptographically-random
code_verifierand from this generates a
- Auth0's SDK redirects the user to the Auth0 Authorization Server (/authorize endpoint) along with the
- Your Auth0 Authorization Server redirects the user to the login and authorization prompt.
- The user authenticates using one of the configured login options and may see a consent page listing the permissions Auth0 will give to the mobile application.
- Your Auth0 Authorization Server stores the
code_challengeand redirects the user back to the application with an authorization
- Auth0's SDK sends this
code_verifier(created in step 2) to the Auth0 Authorization Server (/token endpoint).
- Your Auth0 Authorization Server verifies the
- Your Auth0 Authorization Server responds with an ID Token and Access Token (and optionally, a Refresh Token).
- Your application can use the Access Token to call an API to access information about the user.
- The API responds with requested data.
How to implement it
The easiest way to implement the Mobile Login Flow is to follow our Mobile/Native Quickstarts.
You can also use our mobile SDKs:
- Auth0 offers many ways to personalize your user's login experience using rules and hooks.
- Why you should always use Access Tokens to secure APIs
- Tokens used by Auth0