Skip to main content

Articles Quickstarts Auth0 APIs SDKs

Contact sales Log in

Articles Quickstarts Auth0 APIs SDKs

Contact sales Log in

Desktop and Mobile Apps

Contact sales Log in

Home

Get Started

Authenticate

Manage Users

Customize

Secure

Deploy and Monitor

Troubleshoot

Desktop and Mobile Apps

Authentication and delegated authorization for desktop and mobile applications and a public client overview.

video placeholder

Was this video helpful?

Lab 3: Mobile Applications

Jump to Section

Jump to a section in the video for explanation on a specific topic.

Public clients

Definition of a public client
Native clients identity vs user identity
Client ID is not a secret

Authorization code grant and public clients

Driving interactive authentication using browser surfaces
Embedded browser/webview; browser controls
System browsers on iOS and Android
Need PKCE when using system browsers
System browser in desktop apps is not easy
No browser available on the device requires the device flow

Authorization code + PKCE diagram

Authorization request from the system browser

Refresh token somewhat represents a session between client and resource
Redirect URI using a protocol scheme for handling system browser-app communication
PKCE code challenge

Authorization response
Returning the code from the system browser to the app
Redeeming the authorization code

PKCE code verifier
Token endpoint response

Challenges with refresh tokens without secrets
Using a refresh token for getting a new access token in native clients
Mitigating issues with the use of bearer tokens and secret-less refresh tokens

Token binding
Mutual TLS (MTLS)

Refresh tokens play the function of session artifacts for native clients and APIs

Resource Owner Password Grant (ROPG)

Dangers and limitations of use of raw credentials
How to address requests for ROPG from customers
One exception in which ROPG might be temporarily acceptable

ROPG diagram

Authorization request
Authorization response

Other grants

Device profile grant
Token exchange flow
Assertion profile

Expand Links

Up Next

37:29 Single Page Apps
Authentication and delegated authorization for single page applications.

Previous

48:54 Introduction to Identity
A whirlwind tour of identity history, concepts, and terminology: protocols, open standards, SSO, OAuth2, OpenID Connect and more.
14:58 OpenID Connect and OAuth2
OpenID Connect and OAuth specifications, roles, and grants.
34:56 Web Sign-In
Authentication for web applications using OpenID Connect.
53:12 Calling an API
How to obtain and use access and refresh tokens for delegated authorization in a traditional web application.