Thanks John,
I’m also OK to exchange id_token (from token endpoint) with access/refresh
token using OAuth assertion flow etc., if the AuthZ server is OpenID Connect
IdP.
(In my case, AuthZ server would be OIDC IdP)
ps.
I also want to use PKCE for the native app & its backend combination case.
S
There is a missing step in this flow that also needs to be considered, and that
is how the app authenticates to the backend server.
In the Google case they are providing a JWT/id_token to the client from the
token endpoint for the client to use for it’s authentication to it’s backend.
It would
Hi OAuthers,
I’m thinking the way to issue refresh tokens both to native app and its backend
server at same time.
I have 2 ideas currently.
1. including 2 audience in a single authorization code, and allow using the
code once per the audience.
2. issuing 2 code one for native app, one for backe
