For the past few days, I have been wondering about the authentication issue in mobile applications. I am in the process of implementing a mobile application using React Native.
I'm also implementing an API for this application using .NET Core 6.0 technology and I'm trying to use OpenIdDict library.
One thing I can't understand: mobile applications nowadays when trying to login with login (mail/login/phone number) do not redirect to a separate login page, which should be hosted by an authorization server.
So how do apps use PKCE (if they use it at all)? Is it possible to implement PKCE without hosting such a page? Is it possible to implement an authentication server on the same server where the resources are available? Are two servers even necessary for the secure operation of such an application?
