Auth Code + PKCE flow supported by Okta mobile SDKs?

We’re looking to implement a native mobile application, integrated with Okta login, using a custom embedded login form not re-redirecting to the Okta Hosted Widget.

This guidance outlines that Auth Code + PKCE flow is supported however the methods described here suggests its using a re-direct method to the Okta Hosted Widget: Implement authorization by grant type | Okta Developer Is the Auth code + PKCE method supported where an embedded login process is required?

My understanding is that the Okta Swift SDK, for example, outlines this method to authenticate the user: GitHub - okta/okta-auth-swift: okta-auth-swift, but I cannot find documentation on whether the OIDC /Authorize endpoint is called and that a PKCE code is supplied as well to get an Authorization code? (it’s not evident in the code snippets)

If it is not a Auth Code + PKCE flow, then what type of OIDC flow is used in the Okta Swift SDK? Resource Owner Password Grant? (which does not support PKCE)?

1 Like

I’m also keen to know this (unsurprisingly @michaelixp)

From what I understand and see in the codebase, the okta/okta-auth/swift is simply a wrapper over primary authentication (AuthN), but does not implement the authorization flow.

What you’ll need to do is create your embedded login with the okta-auth/swift SDK. When users successfully authentication, you’ll receive a sessionToken, which you can provide to manually implement the authorization code flow w/ PKCE or use the okta/okta-oidc-ios with the “.authenticate(withSessionToken)” method to
GitHub - okta/okta-oidc-ios: Okta with AppAuth retrieve a ID/AT/RT.

1 Like