Auth0 Home Blog Docs

Recommended Android Native Authentication and API Access methods clarification



Can I get some clarification on the following
I have an Android native client, initially I did a POC with embedded lock for authentication. By the time I got around to wanting to flesh out my logon/token/refresh life cycle the recommendations had changed to browser based authentication as per this link:
so I used the Auth0 Android SDK for java and implemented as directed, this is now working pretty much exactly how I want in my client.

But I see now the recommendation is for PKCE grant-type authentication when using native mobile to then access an API as per these two links:
saying this is more secure

So should i switch to PKCE or remain as per the previous best practice, what is the better approach to take?


I understand it may be confusing as the recommendations do change over time, but when trying to make the flows as secure as possible, we need to keep up with the latest security practices. If you’re [authenticating with the Hosted Login Page] ( through WebAuthProvider.init, you don’t need to switch over. With this browser based authentication, we are following the recommendations of the Internet Engineering Task Force (IETF), who has recently release a [Best Current Practices (BCP) when using OAuth 2.0 with native mobile applications] ( where it states that OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user's browser.

You can read more about this recommendation here: