We’re in the process of migrating our Ionic mobile app to Ionic 2 in the hopes of being able to code-share a significant portion between a progressive web app version and our mobile apps. However, the Auth0 + Ionic 2 samples use PKCE and aren’t usable in browser. Is there an alternative that would be a good solution to use in both instances or do we need to take a different approach on mobile than web for auth?
No comment at all on this?
As a disclaimer, I don’t have much experience with so-called hybrid apps and even less with development of application with the goal of sharing a codebase between native and web platforms.
Having said that, looking at this from the perspective of authentication/authorization and the protocols being involved (OpenID Connect and OAuth2) there is indeed a significant mismatch between the approaches that are most commonly implemented for native and web applications (in particular the browser-based type ones).
A native application will be eligible to obtain and make use of refresh tokens while on a SPA application these are not applicable. As you mentioned, the preferred grant types used by the two types of application are also quite different; native apps go with PKCE and SPA apps with the implicit grant. If CORS allow it, I don’t think there would be any argument against doing a PKCE flow in a SPA application (it could be argued if it was worth it, but with the right configuration doable).
However, at this time the libraries/samples used in both situations don’t have the goal of working seamlessly in both platforms, more specifically, Ionic 2 uses auth0-cordova which is aimed at native and SPA samples use Auth0.js that apart from some utility methods is mostly aimed at web applications.
In conclusion, I don’t believe with the current samples/libraries you would be able to achieve your goal of full reuse as each focus on an individual platform and do things in different ways. In addition, the lack of refresh tokens in SPA’s mean that getting additional access tokens is also done differently so the mismatch in the process is not just restricted to the initial authentication/authorization step.