Reputation: 43
oauth2 where to store client secret on android phone in order to request access token?
I did my own authentication server with oath2 (not using any facebook or google) and I was wondering where to first store the client secret on the mobile. As the shared preferences can be hack on rooted phone AND the acces token request needs the client id I'm facing a problem.
(Please do not mark this question as duplicated as I didn't find the answer on a similar post)
Upvotes: 2
Views: 1632
Answers (1)
Reputation: 2943
You need the client Id and secret when you are using the Authorization Code flow. This flow is normally used in situations where the client is highly trusted, for example an API running form the server. Implicit flow is the better option in cases where you do not want to store the client secret.
Implicit flow differs from Authorization code flow with response returned form the authorization server. Implicit flow returns the access_token directly. To have a valid session for longer periods you can request refresh token along with access tokens. And refresh tokens can be used to obtain a new access token when the current access token becomes invalid or expires.
Please let me know if you have any other questions.
Thank you, Soma.
Upvotes: 4
Related Questions
- I need Oauth2 token for Google Data API with client ID and client secret for React app
- How to get access token using refresh token in google oauth2?
- How and why ot protect client secret in oauth2
- Client secret + refreshing the access token in spring oauth2
- Request new access token using refresh token in username-password grant in Spring Security OAuth2