Questions to clarify whether the SDK is already doing the work
In our android app I successfully implemented Auth0 for Android using the Quickstart Tutorial.
Am I correct that the Authorization Code Flow with PKCE is implicitly done by using the Auth0 SDK?
When I debug in the SDK an OAuthManager object is created after the
WebAuthProvider.start()-call and the authentication is started with
.startAuthentication(). Then the method
.addPKCEParameters() is executed:
createPKCE(redirectUri); String codeChallenge = pkce.getCodeChallenge(); parameters.put(KEY_CODE_CHALLENGE, codeChallenge); parameters.put(KEY_CODE_CHALLENGE_METHOD, METHOD_SHA_256);
So can I assume that the Authorization Code Flow with PKCE is implicitly executed?
The article Authorization Code Flow with Proof Key for Code Exchange (PKCE) refers to the article Add Login Using the Authorization Code Flow with PKCE, which describes step by step how to implement the code flow with PKCE.
Do I understand correctly that the CODE_VERIFIER and CODE_CHALLENGE does not have to be explicitly generated and sent to the /authorize endpoint, but is implicitly done by the SDK?
Thanks for your feedback.