Authorization Code Flow with PKCE using Auth0 Android SDK - Clarification whether the sdk does the pkce implicit?

Questions to clarify whether the SDK is already doing the work

In our android app I successfully implemented Auth0 for Android using the Quickstart Tutorial.

Am I correct that the Authorization Code Flow with PKCE is implicitly done by using the Auth0 SDK?

When I debug in the SDK an OAuthManager object is created after the WebAuthProvider.start()-call and the authentication is started with .startAuthentication(). Then the method .addPKCEParameters() is executed:

String codeChallenge = pkce.getCodeChallenge();
parameters.put(KEY_CODE_CHALLENGE, codeChallenge);

So can I assume that the Authorization Code Flow with PKCE is implicitly executed?

The article Authorization Code Flow with Proof Key for Code Exchange (PKCE) refers to the article Add Login Using the Authorization Code Flow with PKCE, which describes step by step how to implement the code flow with PKCE.

Do I understand correctly that the CODE_VERIFIER and CODE_CHALLENGE does not have to be explicitly generated and sent to the /authorize endpoint, but is implicitly done by the SDK?

Thanks for your feedback.


Hi @clma,

Welcome to the Community!

According to the doc you linked:

Auth0 Mobile SDKs and Auth0 Single-Page App SDK: The easiest way to implement the flow, which will do most of the heavy-lifting for you. Our Mobile Quickstarts and Single-Page App Quickstarts will walk you through the process.

Authentication API: If you prefer to roll your own, keep reading to learn how to call our API directly.

In short, yes you are correct! The sdk and quickstart are going to handle the code exchange and all you have to do is fill in the correct client and tenant info.

I would suggest following the quickstarts and SDks if you want to get things up and running quickly or follow the login doc you linked if you want to work directly with the auth server.

Let me know if you have any questions!

Hi @dan.woda

Thanks for clarifying. Things are already up and running, I just wanted to make sure that this was already being done by the SDK - happy now. :slight_smile:


You should be all set! Thanks for following up.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.