Is PKCE required when using passwordless SMS?

I’m authenticating users in a react native App using auth0 API but I’m not sure if PKCE is required since there’s no examples of this flow using Passwordless.

I request the OTP code using the following endpoint:
POST “https://${authDomain}/passwordless/start”

Then I verify the code received in the APP using the following endpoint:
POST “https://${authDomain}/oauth/token” {audience: “API-identifier”}

I’m wondering how PKCE fits in this flow or if it’s really needed to improve security in this scenario.

Hi @authenticator,

Welcome to the Auth0 Community!

I understand you are wondering if PKCE is required when using Passwordless SMS.

Yes, it is required. Let me explain further. First, Passwordless SMS is a type of connection, whereas PKCE is related to your application type.

Since you are using React Native, this uses the authorization code flow with PKCE. As a result, regardless of your connection type, like passwordless, social, or database, you must still use the authorization code flow with PKCE. It is unfortunately unavoidable and required since native applications are public clients and cannot securely store secrets.

Given that, the login flow for passwordless SMS using PKCE should look like the following:

  1. GET /authorize endpoint to get to your login page
  2. POST /passwordless/start endpoint to send a verification code using SMS to the phone number submitted
  3. POST /oauth/token endpoint with the code to authenticate the user and return an access token

Therefore, when beginning the authentication flow, you must first call the /authorize endpoint to reach your login page to request sending a verification code to the user.

In this case, the authorization code flow with PKCE should look like this:

https://YOUR_DOMAIN/authorize?
    response_type=code&
    code_challenge=CODE_CHALLENGE&
    code_challenge_method=S256&
    client_id=YOUR_CLIENT_ID&
    redirect_uri=YOUR_CALLBACK_URL&
    scope=SCOPE&
    state=STATE

Lastly, please take a look at our authorization code flow with PKCE documentation to learn more.

Hoped this helps!

Please let me know if you have any further questions.

Thank you.

Hey Ruben, Thanks for your quick reply!

I think the flow you’re describing uses a web browser since `/authorize’ should get the user to the login page. but in this case we need to use the App native UI (No web browser).

I found this post Passwordless with React Native and Auth0 which pass the code_challenge in the passwordless/start endpoint but the official api documentation does not include those params.

Also when checking at the source of react-native-auth0 I see no PKCE methods are being used when passwordlesswithSMS function is executed. react-native-auth0/index.js at master · auth0/react-native-auth0 · GitHub

I’m a bit lost here since the documentation and the examples I’ve found are conflictive. I appreciate any clarification :pray:t2:

To clarify the scenario:

  • Using auth0 vía API’s from the device (Not the SDK)
  • In react native, without any web-browser view.
  • using Passwordless SMS/OTP.