Public clients, such as mobile or single-page applications, are bound to encounter security threats when requesting access tokens over Authorization Code flow alone. This is because mobile apps cannot securely store a client secret. Decompiling the mobile app will reveal the client secret. Another security challenge is that authorization code can be intercepted by third-party applications. When it comes to single-page apps, such apps cannot securely store a client secret because their entire source is available to the browser.
To mitigate these security threats, OAuth 2.0 recommends Proof Key for Code Exchange (PKCE) as an extension to the authorization code flow to securely perform access token exchange using public clients.
WSO2 API Cloud has inbuilt support for the authorization code grant with PKCE security standard, which allows you to focus only on the implementation aspect of your mobile/single-page application. Thus, you can securely consume your WSO2 API Cloud APIs via mobile/single-page applications.
We have written a sample cross platform Flutter-based mobile application to demonstrate how you can securely invoke an API through WSO2 API Cloud with PKCE. Do take a look at our documentation to find out more details and try out the sample.
The sample demonstrates the end-to-end flow of how you can securely invoke your WSO2 API Cloud APIs via a simple mobile application. You only have to improve your mobile app to cater to your business requirements after trying out the sample.
If you are a single page application developer, you can grab the complete security flow by going through the GitHub README.