Can I use Authorization Code with PKCE Flow for mobile app?

There are two main options here:

1. AUTHORIZATION CODE FLOW + PKCE

This is typically done by plugging in AppAuth libraries and using a Chrome Custom Tab or ASWebAuthenticationSession window so that the user experience feels integrated. These are the main advantages:

• Login tends to be more user friendly, and features such as password autofill and single sign on across multiple apps works best

• You can potentially support many authentication options rather than just user name and password

• It will do better in third party security reviews (if applicable) since it is the standard option - eg Google use it for mobile Gmail

There is a learning curve in implementing it though. Also, it has a prerequisite of using an Authorization Server and externalising the login user experience. This can be difficult to manage politically at some companies.

2. RESOURCE OWNER PASSWORD GRANT

This is also possible as a short term solution but is deprecated in OAuth 2.1 and will fare less well in security reviews. It limits you to password based sign in and can sometimes result in long lived access tokens (if refresh tokens are not supported). Plus points are that you are more in control of branding and login screen behaviour.

PRACTICAL NEXT STEPS

If you want to look at some working apps that use Code Flow + PKCE, feel free to run the apps from my Quick Start Page. Maybe then you can make an informed decision based on factors such as User Experience and what is most important to your stakeholders.