Can I get some clarification on the following
I have an Android native client, initially I did a POC with embedded lock for authentication. By the time I got around to wanting to flesh out my logon/token/refresh life cycle the recommendations had changed to browser based authentication as per this link:
so I used the Auth0 Android SDK for java and implemented as directed, this is now working pretty much exactly how I want in my client.
But I see now the recommendation is for PKCE grant-type authentication when using native mobile to then access an API as per these two links:
I understand it may be confusing as the recommendations do change over time, but when trying to make the flows as secure as possible, we need to keep up with the latest security practices. If you’re [authenticating with the Hosted Login Page] (GitHub - auth0/Auth0.Android: Android toolkit for Auth0 API) through WebAuthProvider.init, you don’t need to switch over. With this browser based authentication, we are following the recommendations of the Internet Engineering Task Force (IETF), who has recently release a [Best Current Practices (BCP) when using OAuth 2.0 with native mobile applications] (https://www.rfc-editor.org/rfc/rfc8252.txt) where it states that OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user's browser.