I have 2 types of clients:
- SPA (I followed these docs: https://auth0.com/docs/api-auth/grant/implicit + Silent Authentication)
- Mobile Apps (I followed these docs: https://auth0.com/docs/api-auth/grant/authorization-code-pkce)
In both cases, I don’t want the user to relogin (unless after 1 month of inactivity or so), similar behavior to Facebook.
I read the docs, and I understand how to use all Auth0 endpoints. However, I am concerned if they are really secure, and how Auth0 works behind the scenes. I’ll break down into 2 separate questions:
-
For SPAs. I use implicit grants (=accessToken). No refresh tokens, I agree with that. But I don’t understand how Silent Authentication work. This access token I get back, it is short-lived, am I correct? Do I store it in the localStorage? Also, when calling the
renewAuthendpoint, how can I be sure that it’s my client app that called it, not a hacker? Is the accessToken appended somewhere in thatrenewAuthrequest? -
For mobile apps. I understood that storing refreshTokens is secure enough. The problem comes with the communication between the server and the mobile app. I understood also how PCKE works. However, my question is: is I use a WebView, and use https (without ever using a custom protocol scheme), I don’t need to implement PCKE, is that correct? Secure communication is secured by SSL.
Thanks in advance.