Authorization code flow - for website?


I’m looking for an advice to know what approach & technology would be the right fit for implementing Okta features in a website created using ASP.Net 2010 (.net framework 4.0) MVC4.

We would like to use application’s own logon screen for authentication and also need to deal
with new user creation, forgot password, etc…

Our application is customer facing web application and do have mobile version (supports iOS and Windows) as well.

I’m thinking to go with Authorization Code Flow for website and Authorization Code Flow with
PKCE for mobile. Is this a correct way to implement?

Thank you.

Hi @partha

Yes, this is the correct way to go with the implementation, as the web users will not have access to the client secret and JWTs, while the mobile users will not have access to a client secret.

Thank you @dragos.

I would also like to get your thought of implementing Authorization Code Flow for mobile application (hybrid app) instead of going with PKCE. Mobile app calls Web API’s which is on the web server (where website also refers to the same application). By this way, I don’t want to write separate logic for web & mobile to handle session management and other things. Please advice.