Auth0 Home Blog Docs

Difficulties in implementing Lock in Phonegap Cordova



Our mobile app is built on Angular 1.x.x in Phonegap Cordova, and we are facing a couple of difficulties in implementing Lock.

  1. Google Social connection is blocking webview Oauth requests.
  2. Implementing Persistent authorization tokens using Lock (tokens that doesn’t expire, such as refresh_tokens)

Regarding (1), how can we work around this issue with Cordova? We are currently working with angular-lock and auth0-angular and our client in Auth0 is set to an SPA. So we are basically using lock as part of our angular application, as if it were a web application (non-strict mobile). Is it a bad approach? If we use the auth0-cordova integration with PKCE and hosted login page would it resolve this issue? Is this the best approach?

Regarding (2), if it is still possible to use lock in option (1), how can we configure it to use refresh_tokens? Or should we use silent authentication?


As you already hinted to even though Cordova allows you to use web frameworks/stack to develop native application they still must be treated as native applications. For the particular case of authentication through OAuth2/OIDC this implies a significant difference in approaches and the recommendation is to treat your client application as a native one in Auth0 settings and to also only follow guidance that applies to native applications. In particular, like you mentioned, you should indeed be using the PKCE flow through the hosted login page and an external user-agent as that will make the restriction imposed by Google a non-issue.

Based on the above, your second point is also not applicable as the recommendation is to use a different approach from the start.