OAuth 2.0 for Native Apps

4 1 0


We are building an IOS SwiftUI application that interacts with Shopify. The application is intended to be a public application published in the Shopify App Store. We have been building the application using private app credentials, but we are now ready to implement the public oAuth authorization flow. It is our understanding that the oAuth 2.0 specification includes a flow that will support this use case. 

Our general question is: 

Does Shopify's authorization server support native apps, as documented in RFC 8252; either through custom URI schemes, or loopback HTTP redirects?

More specifically:

RFC 8252 states :

There are several redirect URI options available to native apps for receiving the authorization response from the browser, the availability and user experience of which varies by platform. To fully support this best practice, authorization servers MUST offer at least the three redirect URI options described in the following subsections to native apps. Native apps MAY use whichever redirect option suits their needs best, taking into account platform-specific implementation details.

  • Private-Use URI Scheme Redirection
  • Claimed "https" Scheme URI Redirection
  • Loopback Interface Redirection

Does Shopify's authorization server support either of these 3 redirect options?

RFC 8252 states :

Public native app clients MUST implement the Proof Key for Code
   Exchange (PKCE [RFC7636]) extension to OAuth, and authorization
   servers MUST support PKCE for such clients, for the reasons detailed
   in Section 8.1.

Does Shopify's authorization server support PKCE?


If the answer to either of these questions is no, which authorization mechanism does Shopify recommend for IOS native applications?