I am looking in to how best to integrate a public client application such as a Native/Mobile/Single Page application with the ION API Gateway.
I have worked with OAuth2 before - I understand and have been able to successfully retrieve an access token for ION API Gateway using Authorization Code Grant (with OIDC) and using Resource Owner Grant.
In the past, it would have been considered best practice to use Implicit Grant flow for something such as a single page application, but I know this is no longer considered best practice due to inherent insecurity of this flow. The only reason I mention it, is that it is still listed in the ION API SDK repo on Github, while this scenario is not listed at all on the developer portal.
Regardless, both sites do suggest using Authorization Code Grant for a Native or Mobile application. This aligns with my understanding of the OAuth2 best practices except that, the ION API Gateway does not seem to support PKCE to retrieve an access token in lieu of a client secret, as I would expect it to do in order to safely authenticate from a Native/Mobile app (or even an SPA).
Despite it not being documented, I did try to retrieve the access token using typical PKCE mechanisms (ie; using code_challenge/code_verifier in lieu of client_secret to retrieve an access token), but I receive an error message. Naturally, this is because I did not include a client secret value.
Every app authorization type within the ION API gateway including desktop/mobile, issues a client id and client secret. Per my understanding of OAuth2 best practices, we are not able to maintain the confidentiality of a client secret within a distributed native/mobile application (or single page web application), so we should not distribute the client secret with such applications. The PKCE extension to auth code flow exists to solve exactly this scenario. In the demo applications in the aforementioned ION API SDK, however, the client secret is simply being distributed in those applications.
I am questioning whether I have misunderstood something with the ION API Gateway configuration, or if this simply is not supported. Perhaps that is the answer, but I am struggling to understand the recommendation to Authorization Code Grant (without PKCE) in a Native, Mobile, or SPA context, because we cannot ensure that the client secret remains confidential to those public clients.
This leads me to believe that although it is documented and recommended, I probably should not integrate the ION API Gateway with a native, mobile, or single-page app in any capacity, or risk exposing a client secret to the user.
I appreciate any insight the community may have to offer. Show less...
