I am working on an implementation of OIDC/OAuth2 with my company’s service as Provider, so that a third party developer can integrate their mobile application our service. We are using Rails/Doorkeeper, but I do not think that is relevant to the question.
As far as I can tell, we have a correct implementation for OIDC. I have various unit tests and manual tests running OK, everything works at the debugger on https://openidconnect.net/ which I would expect to be standard.
For integration with the mobile application we are using PKCE. The mobile application can successfully login, but there is a mysterious extra re-direct to the Provider’s (i.e. our) login screen, meaning that users have to log in twice. It is very odd, it doesn’t occur in any broswer-based tests I have run, and I am working with the developer for the Relying Party to try and isolate the issue. Of course I think it could be a problem with the native code on the mobile app/Relying Party and our partner thinks it could be a problem with the Provider service.
We have a few avenues of research to isolate the issue. One thing that would help me would be any native app that is designed purely to test/debug OIDC, similar to the debugger at https://openidconnect.net/ but designed around using PKCE and a native app style redirect. Does anyone here know if there is such a thing? So far I have not found anything