I am tasked with developing the authentication/authorization infrastructure for the following application setup:
I've been happily implementing the following:
All was good until the client decided that they really, really dislike the mobile experience of opening up a browser to authenticate. They much prefer the idea of showing the username/password inputs in the app.
I know that Auth Code + PKCE is currently the best practice and that any other solution sacrifices some security. My understanding is that using embedded "web views" is frowned upon or are even banned in certain situations. So my question is:
What alternatives to Auth Code + PKCE are there that are still acceptable from a security standpoint yet would maximize the mobile user experience (and minimize redirects)?
I understand the concern and at my last company there were big issues with mobile login usability:
Look and feel was important - and logins may be the very first experience people have with your app
Password autofill never worked on webviews - high profile users had to type their password on small mobile keyboards on every login - they forgot the password on 50% of logins leading to huge frustration
The solution everyone liked was to use AppAuth libraries with chrome custom tabs (Android) + aswebauthentication session iOS)
The tech is not perfect and is tricky to implement - but it is the best usability option I think. See my write up and maybe run it by your stakeholders: https://authguidance.com/2019/09/13/android-code-sample-overview/