Auth0.swift universal login with iOS universal links


I’m wondering if its possible to use the Auth0.swift framework universal web login with iOS universal links instead of a scheme?.

Reason for asking is that using the callback schema is susceptible app impersonation. Given a user has previously logged in without an ephemeralSession or a has logged in via Safari it’s possible to use /authorize and /token to generate a new token & refresh token.

reference: “PKCE Bypass via App Impersonation” On Web-Security and -Insecurity: PKCE: What can(not) be protected

if not, is there a setting or something to help prevent this sort of attack?