OAuth 2.0 for Native and Mobile Apps
Native and Mobile apps have special requirements for using OAuth 2.0.
Gilles Morieux
Thank Micah for this feature article that reinforces my recent work and where I reach the same conclusions as you clearly explain in this document. ie "The Auth Code with PKCE Flow will replace the Implicit Flow over time. This will strengthen SPA apps by reducing the surface area of attack."
Most serious articles indeed recommend a code + PKCE approach for native applications without however evoking the SPAs applications, nor explicitly recommending this approach instead of implicit Flow.
I felt a bit lonely even though PKCE’s latest progress on appauth-js was moving in this direction.
Thanks a lot for AppAuth SDK contributors too …
Update : https://tools.ietf.org/html…
Note: although PKCE so far was recommended as a mechanism to protect native apps, this advice applies to all kinds of OAuth clients, including web applications.
Anil Thakkar
I am stuck with one very basic requirement in my application. Here is my scenario. I am building custom e-commerce portal using angular as a front end and rest API as a back end. I have product listing API which is going to be called by my angular client application without user’s credentials as product list is public page. However, I don’t want anyone else to consume my product listing API. I know I can use client id and and client secret to obtain token and make it secure but, how do I avoid exposing my client secret in angular app?
Anyone can steal it very easily. Is there any way to use Authorization Code flow with PKCE for public my APIs such as product listing API where user id and password is not required?
Hi Micah, thanks a lot for the clear article. I wanted to run the demo, but it failed when starting the Node.js application.
On Windows:
node.exe .\pkce-cli
C:\Git\pkce-cli\node_modules\restify\lib\request.js:848
Request.prototype.closed = function closed() {
^
TypeError: Cannot set property closed of # which has only a getter
at patch (C:\Git\pkce-cli\node_modules\restify\lib\request.js:848:30)
at Object. (C:\Git\pkce-cli\node_modules\restify\lib\server.js:32:1)
at Module._compile (node:internal/modules/cjs/loader:1469:14)
at Module._extensions…js (node:internal/modules/cjs/loader:1548:10)
at Module.load (node:internal/modules/cjs/loader:1288:32)
at Module._load (node:internal/modules/cjs/loader:1104:12)
at Module.require (node:internal/modules/cjs/loader:1311:19)
at require (node:internal/modules/helpers:179:18)
at Object. (C:\Git\pkce-cli\node_modules\restify\lib\index.js:10:14)
at Module._compile (node:internal/modules/cjs/loader:1469:14)
Node.js v20.17.0
On WSL2 (Ubuntu):
./pkce-cli --client_id 0oahdifc72URh7rUV0h7 --okta_org https://micah.oktapreview.com --scopes “openid profile email” --redirect_uri http://localhost:8080/redirect
/home/thesse/Git/pkce-cli/node_modules/restify/lib/request.js:848
Request.prototype.closed = function closed() {
^
TypeError: Cannot set property closed of # which has only a getter
at patch (/home/thesse/Git/pkce-cli/node_modules/restify/lib/request.js:848:30)
at Object. (/home/thesse/Git/pkce-cli/node_modules/restify/lib/server.js:32:1)
at Module._compile (node:internal/modules/cjs/loader:1356:14)
at Module._extensions…js (node:internal/modules/cjs/loader:1414:10)
at Module.load (node:internal/modules/cjs/loader:1197:32)
at Module._load (node:internal/modules/cjs/loader:1013:12)
at Module.require (node:internal/modules/cjs/loader:1225:19)
at require (node:internal/modules/helpers:177:18)
at Object. (/home/thesse/Git/pkce-cli/node_modules/restify/lib/index.js:10:14)
at Module._compile (node:internal/modules/cjs/loader:1356:14)
Node.js v18.19.1
What am I doing wrong? Thanks!
Hi there @thomashesse ,
Welcome to the community!
This is a fairly old post. My guess is the Node version you’re using doesn’t work with the code sample.
It looks like it’s documented in this GH issue for node-restify library
I’d recommend downgrading Node and trying again.
You may be interested in trying out Okta’s mobile SDKs featured in this post
Happy coding!