Credential cacheing for Authorization Code Flow with PKCE

When I use Authorization Code Flow with PKCE are the credentials cached in the browser session? I’m asking such that if a user close my native app and then 10 minutes later opens it again and I call the logon will it pull the cached credentials or will they have to logon again? I’m assuming the credentials havn’t expired.

Hi @Terry.Humphries,

What do you mean by credential? Tokens aren’t stored in the browser by default, and passwords are never stored or persisted by our SDKs.

Do you have a specific SDK you are working with? They can function differently depending on your settings and environment.

We have an internal app that use the Logon method of Auth0.OidcClient.Core using the client credential flow. While we do not save the token that is returned. the next time a user runs the app and logon is called it returns a token with actually prompting the user so we think something must be stored in a browse secure cookie that keeps it from prompting for credentials again.

@Terry.Humphries,

The client credentials flow doesn’t involve any users and shouldn’t involve a browser or login.

Maybe it would be helpful if you share your code so we have a clearer picture of what your application is doing.

Dan, Our flow is as follows, Edit a bit to remove unrelated code:
We call this function to build the Auth0 client

        private Auth0Client BuildClient()
        {
            var clientOptions = new Auth0ClientOptions()
            {
                Domain = auth0Configuration.Domain,
                ClientId = auth0Configuration.ClientId,
            };
            clientOptions.PostLogoutRedirectUri = clientOptions.RedirectUri;

            return new Auth0Client(clientOptions,
                                   logger,
                                   BrowserControlType.WebBrowser,
                                   showWindowAction,
                                   () => new Window()
                                   {
                                       Height = 500,
                                       Name = "WebAuthentication",
                                       ResizeMode = ResizeMode.NoResize,
                                       Title = "Authenticating...",
                                       Width = 400,
                                       WindowStartupLocation = WindowStartupLocation.CenterOwner
                                   });
        }

Then we call our Login method:

        private async Task<bool> Login(Auth0Client client)
        {
            LoginResults = string.Empty;
            var url = !string.IsNullOrEmpty(auth0Configuration?.ServiceUrl) ? auth0Configuration?.ServiceUrl : "Authorization.ServiceUrl not set in Settings file.";
            var extraParams = new Dictionary<string, string> { { "audience", auth0Configuration.ServiceUrl } };

            var loginResult = await client.LoginAsync(extraParameters: extraParams);

The user gets prompted for login credentials. loginReults contains the access token, etc.

Then the next time the user runs the app if the token hasn’t expired when we call Login it immediately returns with the access token, etc
The user is not prompted. So something is cached somewhere

It’s likely a cookie is persisting the session in the browser. You can inspect the request and see what is happening by using devtools network tab.

Alternatively, you can send me a HAR file of the flow and I can tell you what is happening.