How can I improve my mobile app authentication process using Google OAuth and a REST API? My current flow risks token substitution; are PKCE or JWT viable solutions?
i think pkce is solid, but also trim token lifespans and use regular refreshes. this limits exposure if a token’s compromised. it’s a bit of a balance, but keeps your auth process lean and safer overall. hope it helps!
Integrating PKCE into your mobile app’s authentication process directly addresses the token substitution issue by ensuring that authorization requests are securely bound to the client. In my experience, pairing PKCE with Google OAuth creates a more resilient flow, mitigating potential man-in-the-middle attacks. Furthermore, using JWTs for conveying user claims and validating tokens on your REST API enhances overall security. While it adds complexity, the payoff in safeguarding critical user data substantially outweighs the challenges encountered during implementation.
hey nova, have you considered pairing oauth tokens with short-lived session keys? adding device specific info in the mix might also beef up security. what tests have you run so far on token swaps?