Modern mobile applications frequently adopt OAuth2 with Proof Key for Code Exchange (PKCE) to protect authorization code flows from interception attacks. However, many production mobile systems already provide a native username and password login interface, and migrating to a fully browser-based OAuth login experience can significantly impact usability and require major architectural redesign. This paper proposes a Non-Interactive PKCE architecture that preserves the native mobile authentication experience while maintaining strong OAuth2 security guarantees. The architecture separates authentication and authorization responsibilities by introducing a cryptographically protected trust artifact called oaCode, generated by an App Authentication Server (AUS). The oaCode securely transfers authenticated context to an App OAuth2 Server (AOS), allowing the OAuth authorization flow to proceed without additional user interaction. PKCE verification is enforced during token exchange to ensure that intercepted authorization codes cannot be redeemed by malicious applications. The proposed architecture demonstrates how existing mobile authentication systems can integrate OAuth2 authorization while maintaining both security and usability.

This paper presents a Non-Interactive PKCE architecture designed for mobile applications that already maintain native authentication systems. By separating authentication from authorization and introducing a secure trust artifact known as oaCode, the architecture enables seamless integration of existing identity infrastructures with OAuth2 PKCE authorization flows. The proposed design ensures that token issuance remains strictly protected by PKCE verification while preserving the native mobile login experience. This approach demonstrates that strong OAuth security guarantees can coexist with enterprise authentication architectures without requiring disruptive changes to existing mobile applications. The architecture provides a practical and secure framework for integrating modern OAuth authorization mechanisms into real-world mobile systems.

[1] Lodderstedt, T., McGloin, M., & Hunt, P. OAuth 2.0 Threat Model and Security Considerations. [2] Authorization Code Flow with PKCE. https://auth0.com/docs/flows/proof-key-for-code-exchange-pkce [3] IdentityServer4 Documentation. https://identityserver4.readthedocs.io [4] OAuth 2.0 Security Best Current Practice, Lodderstedt, T., et al. OAuth 2.0 Security Best Current Practice. [5] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., & Mortimore, C. Proof Key for Code Exchange by OAuth Public Clients (PKCE). Internet Engineering Task Force (IETF), 2015. https://datatracker.ietf.org/doc/html/rfc7636