Identity Server + resource owner credentials + authenticator

Question

I'm working on setting up a new SSO application. I would like to use ASP.NET Identity as a database to store the users data. I have a ReactJs application hosted on Node.JS and a .Net Web Api2 application. I want to protect thsi Web Api 2 using Identity Server with users from its database. In further development I'm going to create a mobile application. I'm able to create an asp.net identity database with some users and use Resource Owner credentials, but I have couple of questions if anyone could help:

1. Why is Resource Owner Credentials not recommended? My current workflow is to hit the api with client&user&password and obtain a token which I store in web layer and use in Web Api requests. Web Api validates the tokens and identify the user. I read on IS page that's not recommended then what's the recommended scenario to authenticate the user?
2. How can I create an authenticator for mobile? Should I create my own certificate issue, store it in database as a thumbprint and use access token for that?

Thanks

Answer 1

1. In short, Resource Owner requires the credentials to be passed through the application itself, also RO doesn't give you SSO. Here's a longer answer. The recommended scenario is to use hybrid flow with PKCE enabled.

2. Look up TOTP. I believe it is implemented in AspNetCore.Identity with some examples.