How exactly do mobile apps achieve authorization code flow with PKCE?

Question

Let's imagine the following:

1. I've developed a mobile app using Xamarin (iOS/Android compatible)
2. I want it to support OAuth2 + OpenID connect's authorization code flow with PKCE, so that the user's credentials are never stored on the device, but rather an access token is. The token grants access to an API used to make the whole mobile app function, meaning the mobile app is simply a front-end interface/UI.
3. Is my mobile app considered the "client application", or the "Resource owner"?

The third step makes it so hard for me to grasp this. If it's considered client application, how will following through the whole code flow, protect us from anything, as most of the things will be visible (Mobile apps are public clients, there is no back-channel)

If it's considered resource owner, then does that mean I'd have to whip out an entire dedicated back-end, separate from my API, separate from my Authorization Server, and just specific for the mobile app (it will be the "Client application")?

If someone could shine some light on this, please let me know. The title is not very correct, if it can be edited to better fit this question, I'd be very thankful.

Answer 1

Your mobile app is the client application - with a trust entry configured in the Authorization Server. PKCE works by the mobile app generating a runtime secret used in 2 messages:

• The login redirect
• An authorization code grant message

See steps 4, 7 and 8 from my article to understand PKCE messages.

Mobile OAuth involves integrating AppAuth libraries which is not easy, though you'll have the best security and usability once complete.

I have a sample Android app and article that you can easily run.

The behaviour on iOS is similar.