I’m implementing authentication for a cross-platform desktop app using authorization code grant flow with PKCE. As confirmed by the Auth0 blog post…
…it is no longer recommended to use an integrated web browser to perform native authentication. This means I should open the authorize url in the system browser, and that my desktop app must be able to retrieve the authorization code after the external login redirect.
Here’s my problem. Of the available options for obtaining the auth code, ‘Loopback Interface Redirection’ e.g. redirecting to the loopback address, seems to offer the most seamless login experience, but I can’t use it in production as Auth0 doesn’t allow a wildcard port number. If I hardcode a specific port to listen to, I have no guarantee it will be available on the client machine.
Quoting from the ‘OAuth 2.0 for Native Apps’ spec which Auth0 cites in the blog post…
The authorization server MUST allow any port to be specified at the
time of the request for loopback IP redirect URIs, to accommodate
clients that obtain an available ephemeral port from the operating
system at the time of the request.
As far as I can tell, Auth0 doesn’t support this, so I have to specify a fixed port in the ‘allowed callbacks’ setting. I can’t specify EVERY ephemeral port number, as there’s around 16000 of them! Neither can I use a custom URI scheme, as this would require my users to elevate the app to admin in order to register the scheme with the OS. It would also require the user to approve the scheme when the redirect happens in their browser, which feels clunky, and they might click ‘no’.
Does anyone know how I can work around this, or if/when Auth0 are planning to implement this?