I am looking in to how best to integrate a public client application such as a Native/Mobile/Single Page application with the ION API Gateway.
I have worked with OAuth2 before - I understand and have been able to successfully retrieve an access token for ION API Gateway using Authorization Code Grant (with OIDC) and using Resource Owner Grant.
In the past, it would have been considered best practice to use Implicit Grant flow for something such as a single page application, but I know this is no longer considered best practice. The only reason I mention it, is that it is still listed in the ION API SDK repo on Github, while this scenario is not listed at all on the developer portal.
Regardless, both sites do suggest using Authorization Code Grant for a Native or Mobile application. This aligns with my understanding of the OAuth2 best practices except that, unless I have misunderstood or overlooked something, the Ion API Gateway does not seem to support PKCE in lieu of a client secret, as I would expect it to do in order to safely authenticate from a Native/Mobile app (or even an SPA).
Despite it not being documented, I did try to retrieve the access token using typical PKCE mechanisms (ie; using code_challenge/code_verifier in lieu of client_secret to retrieve an access token), but I receive the error message:
{ "error": "invalid_grant", "error_trace_id": "Root=1-68f001d5-70f3dc7d1424f65663c746e7", "error_description": "Client secret cannot be null or empty"}
Naturally, this is because I did not include a client secret value.
Every app authorization type within the ION API gateway including desktop/mobile, issues a client id and client secret. Per my understanding of OAuth2 best practices, we are not able to maintain the confidentiality of a client secret within a distributed native/mobile application (or single page web application) and as such we should not distribute the client secret with such applications. In the sample applications in the aforementioned ION API SDK, however, the client secret is being distributed in those applications.
I suppose I am questioning whether I have misunderstood something with the ION API Gateway configuration, or if this simply is not supported. Perhaps that is the answer and I am overthinking this, but I am struggling to understand the recommendation to Authorization Code Grant without PKCE in a Native, Mobile, or SPA context, because we cannot ensure that the client secret remains confidential to those public clients.
I appreciate any insight the community may have to offer.
