Mobile applications must use an approach similar to that of regular web applications, which is called Authorization Code Flow with Proof Key for Code Exchange (PKCE). The main difference between this and the classic Authorization Code Flow is that the mobile application doesn't get a client secret, but instead exchanges a pair of codes to prove the origin of the authentication attempt. The issue is that a mobile application can't be trusted with a client secret because it's distributed directly to users and is therefore no longer under the developer's control, and the sources can be decompiled and analyzed to find secrets like this.
This section provides instructions on how to configure Okta for mobile apps so that your mobile users can benefit from delegated authentication as well.
Make sure to have a licensed copy of WorkflowGen installed and running on a server.
Make sure to have administrative access to Okta to be able to configure it properly.
Make sure to have provisioned an existing Okta user with which you can authenticate to WorkflowGen so that you can use the application afterwards.
Make sure to have the WorkflowGen Plus mobile application installed on a device that you have access to.
Make sure to have the latest WorkflowGen Plus version installed on your device and that your device is supported.
Make sure to have successfully configured delegated authentication to Okta on your WorkflowGen instance following the instructions in the Okta authentication section.
In your Okta developer portal, go to the Applications item under the Applications menu, then click the Create App Integration button.
Select the following options under Create a new app integration, then click Next:
Sign-in method: OIDC - OpenID Connect
Application type: Native Application
Enter the following information:
App integration name: WorkflowGen Plus
Grant type: Check Authorization Code
and Refresh Token
Sign-in redirect URIs: workflowgenplus://oidc
Sign-out redirect URIs: workflowgenplus://oidc
Controlled access: Check Allow everyone in your organization to access
Click the Save button.
On your Okta WorkflowGen Plus native application page, go to the General Settings section on the General tab, then click the Edit button.
Enter the following information:
Initiate login URI: workflowgenplus://oidc
Click Save.
If you've set up delegated authentication to Okta on your WorkflowGen server, you should have an access policy on your Okta WorkflowGen GraphQL API authorization server that will let any configured client access it. Therefore, there's nothing left to do on the Okta side. Here's a review of the information you need:
A client ID
, which can be found on the Okta WorkflowGen Plus native application page's Settings tab.
Your Okta domain name
, which can be found directly to the left of your profile picture on the top right corner of the page.
All of this information must be given to the users who will be using the mobile application; they'll need to copy them directly into the app.