Auth0 Home Blog Docs

Is it possible to implement PKCE without a redirect to a hosted login UI?

pkce
without-lock

#1

I’d rather keep control of my UI in my Ionic application. Do the APIs and the SDKs (auth0.js in particular) provide a way to implement the PKCE flow without the need to redirect to a hosted web page from my app. This redirect is very undesirable from a UX perspective, and also from a UI maintenance perspective too.


#2

The PKCE flow build on top of the OAuth2 authorization code exchange and the redirect is just how that flow is implemented so it’s unavoidable both in the regular code exchange or the PKCE extended one. This is a characteristic of the protocol itself so it’s also not something specific to the Auth0 service implementation or SDK.

If the users you’re trying to authenticate are database connection users then you can consider using the resource owner password credentials grant as this would allow you to perform authentication directly against the token endpoint without redirects being involved. However, this implies the client application will have to directly process user credentials which may or may not be acceptable.


#3

Got it, thanks! Got the ropc grant working.


#4

Got it, thanks! Got the ropc grant working.


#5