I just figured out that there seems to be a new recomended way to integrate Auth0 into Ionic2+.
I’m just wondering if there is any significant advantage of the new solution?
I just made a quick test implementation in my app, and despide the fact that it didn’t save the token properly (I wasn’t able to figure it out, but I also didn’t spent much time debugging), I saw at few disadvantages right away:
not able to test it in the browser anymore (via ionic serve -l) which is mutch easier to debug
the addressbar is always visible and there doesn’t seem to be a way to get rid of it - so the look and feel of the integration is quite poor
The auth0-cordova library performs a PKCE exchange which gives you improved security from the perspective that it mitigates the threat of authorization code interception. Using authorization code grant instead of an implicit grant would already be an improvement as the tokens are delivered through the token endpoint and not directly on a URL, but PKCE goes even further.
It also does not make use of in-app browser which would mean the use of WebViews. You may not like the address bar, but to the end-use makes it easier and safer to input credentials in the OS browser that in a WebView. For example, Google simply disallowed user authentication happening on WebViews so this is another added benefit.
Thx for the answer.
What I can’t see from the current documentation: how about refreshing tokens? And is there support for custom integrated forms too (without any webview or browser)?
@jmangelo Ive also implemented the Cordova quickstart which uses the PKCE exchange and I was wondering, is there no way around being able to run the code in a browser? Perhaps there are options to switch out authentication methods before production release?
@jmangelo Ive also implemented the Cordova quickstart which uses the PKCE exchange and I was wondering, is there no way around being able to run the code in a browser? Perhaps there are options to switch out authentication methods before production release?
In theory, it could be possible to do something like platform detection and run different flows depending on platform, but there’s no built-in support for that at the library level as far as I’m aware and it also goes beyond my knowledge of Cordova.