Reputation: 11580
OAuth2 Flow for Mobile Devices
We're currently working on an API that will be consumed by a variety of different devices. We want to use the OAuth2 spec as it defines several flows which were not available in the original OAuth spec. My question is, what flow would work best for a mobile device such as the iPhone or iPad? What flow does an application like TweetDeck use?
Looking around the web it seems clients like TweetDeck use the 'Username and Password Credentials Flow" (browserless token exchange). Can anyone provide more information on this topic?
Upvotes: 11
Views: 3033
Answers (2)
Reputation: 28384
Also checkout the device profile at https://datatracker.ietf.org/doc/html/draft-recordon-oauth-v2-device-00
Here, the user sees a unique code on their handset, and is required to enter that code into the browser, while logged in, to authenticate the device.
Upvotes: 0
Reputation: 22914
The username and password flow you discuss should only be used if there is a trust between the end-user (mobile device user) and the client requesting auth (the app on the mobile). In this case, it seems reasonable that this trust would exist. What basically happens is that the credentials are sent to the auth server in exchange for an access token.
It is expected that you DO NOT store the credentials. Instead, you should store the access token and the refresh token and use those. The refresh token mechanism is defined in the spec here and using the access tokens is discussed here
Upvotes: 6
Related Questions
- Can I use Authorization Code with PKCE Flow for mobile app?
- OAuth 2.0 for desktop and mobile applications
- What's the right OAuth 2.0 flow for a mobile app
- OAuth2 flow for mobile app
- OAuth 2 Device Flow redirect url
- REST API + OAuth + Mobile Flow
- good Oauth2 flow in mobile app?
- Options to securely authenticate mobile access using OAuth2
- Three legged oauth flow on mobile app
- Which OAUTH2 flow for mobile access and SSO