Reputation: 53
Which OAUTH2 flow for mobile access and SSO
I have been studying the OAuth2 spec and lots of supporting material , but can't decide on what the best approach/flow is to use for my use case.
I have a wep applicaton that my users can access via a SSO mechaism. its a basic enough mechanism, but it involves the user authorising themselves on their own network, and sending me an ecrypted token which contains the user information. I process this and set up a session on my web app.
I now have a set of rest api's that will allow a mobile web client (currently android) to pull data down from my web app. I want to re-use this SSO mechanism to generate an OAuth token which the mobile client uses to identify themselves with each rest request. Ideally the flow would be seamless, i.e. the user opens a browser on their phone, authenticates on their own system, and is directed to a home url for the mobile web client with an OAuth token.
From what I have read all the OAuth2 flows seem to work the other way, i.e. the user first talks to my Authorisation server, then will get redirected to their own authentication system and will then be redirected back to my authorisation server and be issued a token. My worry is that this way around may require changes on how my users authorise themselves locally.
Am I missing something here?
Upvotes: 1
Views: 1805
Answers (1)
Reputation: 2441
If I understand your problem correctly, it's not that complicated. Your scenario should use the implicit grant message flow (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-26#section-4.2) designed for mobile applications. So your message flow will be:
- When the mobile application is started, it sends a token request to the OAuth server. The server responds with a redirect to your web application. The result page is shown to the user.
- The user signs in (either manually or using SSO), reads details of the the authorization request and hopefully approves it. The approval is sent to the OAuth server.
- The OAuth server generates a token and returns a redirect, containing the token information in the URL fragment.
- Your mobile application extracts the token from the fragment and uses it to access the protected resources.
To achieve this, you need both an OAuth client for your mobile, an OAuth server webapp and an approval page in your web application to support the scenario. IF the OAuth server is tightly integrated into your web application, you may not need the redirections between the server and your application.
Upvotes: 1
Related Questions
- Which OAuth 2.0 / OpenID Connect flow should I choose?
- Which OAuth2 authentication flow shoud I use for PWA + server side application
- What's the right OAuth 2.0 flow for a mobile app
- OAuth2 flow for mobile app
- What Oauth2 flow to choose for this particular situation?
- Which OAuth2 flow/grant type I should use?
- good Oauth2 flow in mobile app?
- OAuth2: Which flow to use?
- Options to securely authenticate mobile access using OAuth2
- OAuth2 Flow for Mobile Devices