To summarize this chapter, your authorization server should support the following in order to fully support secure authorization for native apps.
- Allow clients to register custom URL schemes for their redirect URLs.
- Support loopback IP redirect URLs with arbitrary port numbers in order to support desktop apps.
- Don’t assume native apps can keep a secret. Require all apps to declare whether they are public or confidential, and only issue client secrets to confidential apps.
- Support the PKCE extension, and require that public clients use it.
- Attempt to detect when the authorization interface is embedded in a native app’s web view, instead of launched in a system browser, and reject those requests.