Okta Login flow for apps (with refresh token!)

We are trying to understand the way we need to create our login flow for our (iOS) app.
We are requesting users to login on their browser; after which they redirect.

The flow is as follows:
[app] -> [opens safari okta login]
[successful login] -> [our server] -> [redirect to appurl]

What we do is log in and authorize. However we want a refresh token as well.
So we tried:

[successful login] -> [our server] -> [another request to okta with the auth token] -> [redirect to appurl]

however; the token requests require a redirect uri! Which is unusable on the server while still processing the response from the login (we need to hold on to the response to redirect to our appurl, where we include the refresh_token!).

At this point we tried reading into several solutions provided in the api’s, but none of them matched the above use case.

Can anyone of you assist in helping us achieve the refresh_token after the successful login?

Hey @devpon!

I’m a little confused as to why you’re using your server to proxy /token requests. Is your server handling the user session? If this is the case, you don’t need to use Safari to start the login flow - as your server can be the gateway for authentication into Okta.

However, if you want to store an accessToken, idToken, and/or refreshToken inside of your Native iOS application that you can use to hit protected services - you should consider the Authorization Code Flow with PKCE.

Here are a few libraries that abide by best current practice to help simplify this flow:

Let us know if you have any other questions!

It is not that we want to use our server to do the /token requests, but our react native application cannot make the calls since the api seems to be forcing us to use a redirect url (thus a web-view) and we do not use webviews in our application.

Even the PKCE solution seems to hint at the use of a webview (with the redirect pointing to an deeplink/applink). But to be honest it also seems to make the solution more complex.

Basically the only thing we want to achieve is getting a refreshToken after the user has “logged in” in Safari.

I was using: https://developer.okta.com/docs/api/resources/oidc#token
to see how to get that refreshToken, which points to a POST-method only including a redirect.
While I expected to have some kind of get or post which returns the requested value (refreshToken).

I also rather not want to include the secret in our app (but only our server). But if it is the only possibility we can use the fetch api on the react native to do the post/get as well (and we can have any info we received in step 1 (after login) in the react native app). Again, preferably only our server contains the most logic for handling the okta flow.

This is also since we do not use okta for anything other than: authorize and (if we get a refresh token) seeing if you still exist/are active… the data of our app is not behind any api which is handled by okta.

ps. the most confusing to me in all docs is the fact that in a PKCE solution they refer to CURL
I just don’t know how it is possible to use CURL in my app? I only know curl as the 20yo command line tool, maybe I am missing something. I would expect the fetch api or something.

https://developer.okta.com/authentication-guide/implementing-authentication/auth-code-pkce ( see 3. Exchanging the Code for Tokens, this is the spot where I totally lose it, I don’t know how to implement this solution from that point on )

@devpon The link you posted describes the PKCE flow at an API level (not in any particular language). It should also mention that our iOS AppAuth and Android AppAuth libraries do all of this for you automatically. We will soon be releasing a similar library for React Native.

However, all of these will require the use of a web view and an app redirect back. Can you help me understand why you can’t use a webview in your app?