I’m attempting to know if I can do what I want to accomplish with Oauth with out creating safety points.
I’ve an iOS app that connects to a third social gathering oauth api presently utilizing PKCE auth. It shops the refresh/entry tokens within the keychain and as quickly as a refresh occurs the previous refresh token will get invalidated and the brand new one will get saved as a substitute. Refresh token rotation solely occurs for pkce auth, not for traditional confidential consumer auth.
I need to add some serverside capabilities with consumer accounts for customers that decide right into a sure characteristic, the place the server would additionally must have an energetic session for that consumer.
My present setup won’t work with this as a result of the third social gathering API invalidates the refresh token as soon as renewed, in order that signifies that the app and server aspect can’t preserve energetic periods.
So I’m questioning if there’s a that I can securely swap my utilization in my app to consumer credential move and perhaps have a server that steps within the center and has the consumer secrets and techniques in it, so the app might use consumer credential move after which ship a refresh token into the server for sure customers and the server can have an energetic session.
is that this doable?
