OAuth2: Which flow to use?

Question

There appears to be four distinct flows in OAuth2, i.e. (link),

Authorization Code Flow - used with server-side Applications
Implicit - used with Mobile Apps or Web Applications (applications that run on the user's device)
Resource Owner Password Credentials - used with trusted applications such as those owned by the service itself.
Client Credentials - used with Applications API access.

If I'm developing a mobile application that will consume resources from its own API, i.e., the mobile app is developed by the same team developing the API, which of the four OAuth flows should I use and how?

Given my scenario, it sounds to me like option 3 is the way to go. If this is the case, would you adopt the following process:

Release you mobile app with the ClientId and ClientSecret stored on it (deemed okay as the application is trusted).
Ask the user to log into their account using cookie-based authentication (immediately deleting their username and password).
Cache the hash of their username and password returned in the response of the cookie-based authentication.
Use the cached username and password, along with the ClientId and ClientSecret, to request access and refresh tokens from the token endpoint of the OAuth server.

Doe this seem sensible? It would be good to know if I'm on the right track with the above thought process, or if I'm going something incredibly silly and ought to be doing this some other way.

Takahiko Kawasaki · Accepted Answer

Resource Owner Password Credentials flow would be okay for your case.

BTW, it is difficult for a mobile application to keep its client secret confidential (RFC 6749, 2.1. Client Types, RFC 6749, 9. Native Applications). Therefore, in normal cases, a client secret should not be embedded in a mobile application. In other words, embedding a client secret is almost meaningless in terms of security.

OAuth2: Which flow to use?

Answers (2)

Related Questions