Authorization Code Flow with PKCE using Auth0 Android SDK - Clarification whether the sdk does the pkce implicit?

clma · March 31, 2020, 3:32pm

Questions to clarify whether the SDK is already doing the work

In our android app I successfully implemented Auth0 for Android using the Quickstart Tutorial.

Am I correct that the Authorization Code Flow with PKCE is implicitly done by using the Auth0 SDK?

When I debug in the SDK an OAuthManager object is created after the WebAuthProvider.start()-call and the authentication is started with .startAuthentication(). Then the method .addPKCEParameters() is executed:

createPKCE(redirectUri);
String codeChallenge = pkce.getCodeChallenge();
parameters.put(KEY_CODE_CHALLENGE, codeChallenge);
parameters.put(KEY_CODE_CHALLENGE_METHOD, METHOD_SHA_256);

So can I assume that the Authorization Code Flow with PKCE is implicitly executed?

The article Authorization Code Flow with Proof Key for Code Exchange (PKCE) refers to the article Add Login Using the Authorization Code Flow with PKCE, which describes step by step how to implement the code flow with PKCE.

Do I understand correctly that the CODE_VERIFIER and CODE_CHALLENGE does not have to be explicitly generated and sent to the /authorize endpoint, but is implicitly done by the SDK?

Thanks for your feedback.

Regards,
Claudio

dan.woda · April 2, 2020, 10:22pm

Hi @clma,

Welcome to the Community!

According to the doc you linked:

Auth0 Mobile SDKs and Auth0 Single-Page App SDK: The easiest way to implement the flow, which will do most of the heavy-lifting for you. Our Mobile Quickstarts and Single-Page App Quickstarts will walk you through the process.

Authentication API: If you prefer to roll your own, keep reading to learn how to call our API directly.

In short, yes you are correct! The sdk and quickstart are going to handle the code exchange and all you have to do is fill in the correct client and tenant info.

I would suggest following the quickstarts and SDks if you want to get things up and running quickly or follow the login doc you linked if you want to work directly with the auth server.

Let me know if you have any questions!
Dan

clma · April 3, 2020, 6:32am

Hi @dan.woda

Thanks for clarifying. Things are already up and running, I just wanted to make sure that this was already being done by the SDK - happy now.

clma

dan.woda · April 3, 2020, 9:36pm

You should be all set! Thanks for following up.

system · April 18, 2020, 9:36pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Android SDK with PCKE Help android	4	3437	March 3, 2020
Auth0-js with PKCE Help auth0js	12	5468	May 13, 2020
Authorization Code Flow with PKCE Help pkce	3	3216	October 8, 2020
Recommended Android Native Authentication and API Access methods clarification Help android , authentication , pkce , native	2	4779	August 27, 2019
Code Verifier Storage and Retrieval Help	5	5848	April 6, 2022

Authorization Code Flow with PKCE using Auth0 Android SDK - Clarification whether the sdk does the pkce implicit?

Related topics