I think I have read every possible document in Auth0 SDKs related to this and it seems it’s not possible.
All SDK quickstart points to using webAuth() which uses SSO and gives me access-token without refresh token anywhere.
I want to use access+refresh token, without having client_secret anywhere in code. Hence authorization code flow with PKCE.
But that does not seem possible with native SDK at all. There are no methods I see to facilitate this and online help points to implementing your own SDK with URLSessionDataTask.
Is this really the only way to do it?
I find it strange that the least risky way of integrating 3rd party identity is not supported by the SDK at all.
Hi @marehoplit,
Welcome to the Auth0 Community!
The Auth0 Swift SDK uses the Authorization Code Flow with PKCE.
Native apps, must use PKCE since they cannot securely store secrets. Therefore the .webAuth() method inherently does this and handles the code_challenge and code_verifier for PKCE to work.
If you need both an access token and a refresh token, you will need to specify the scope=offline_access in the webAuth() call.
https://auth0.github.io/Auth0.swift/documentation/auth0/webauth/#:~:text=func%20scope(String)%20->%20Self
If you have any other questions feel free to ask us.
Have a good one,
Vlad
1 Like
Thank you, will implement this and post the results.
(offline_access is somewhat strange name for this scope. It suggests non-connected use which is not the case here.)
This is working fine.
To any iOS dev reading this, I recommend giving a good read to this docs