Evening,
I’m wondering if its possible to use the Auth0.swift framework universal web login with iOS universal links instead of a scheme?.
Reason for asking is that using the callback schema is susceptible app impersonation. Given a user has previously logged in without an ephemeralSession or a has logged in via Safari it’s possible to use /authorize and /token to generate a new token & refresh token.
reference: “PKCE Bypass via App Impersonation” On Web-Security and -Insecurity: PKCE: What can(not) be protected
if not, is there a setting or something to help prevent this sort of attack?