So we're working on a mobile app for our members at ITEA. Rather than create yet one more account on yet one more app, this app will hit the Wild Apricot API, acquire an auth token based on a member's email and password, and then send back the user's information via the contacts/me endpoint. One login; two platforms. Makes sense.

We're running into some hurdles with the auth API for mobile. Specifically, I'm using React Native and a package called react-native-app-auth to handle the OAuth process. This package in turn uses the AppAuth SDK for iOS and Android.

Hurdles:

1) The username / password auth process doesn't seem to work well with my particular auth package. Has anyone else successfully used the Wild Apricot username / password auth method for a mobile app? If so, was the AppAuth SDK used? Did re-directing back to the mobile app work okay? And was a token granted without the use of an intermediary code?

2) Given the issues I've had with the username / password method, I would be willing to go with the more traditional single sign-in service method. However, that process seems to favor web applications and requires re-direct paths to begin with https:// (and with a mobile app this would not be the case). While I understand why this restriction is in place, relaxing this requirement would allow mobile apps to also use the single sign-in method. Any chance of this happening?

3) These days, the use of static client secrets for mobile is frowned upon from a security standpoint. Are there plans to move to the PKCE OAuth extension and dispense with client secrets entirely? Also: any chance of OpenID being implemented in general?

Any insight on this would be greatly appreciated.