Reputation: 49
oauth grant type for android native app with spring boot backend
I have an android native app as client and spring boot service in the backend with REST endpoints. I want to know the best possible strategy for authentication with oAuth2 (without the social login approach).
I am currently using spring oauth security & have an authorization server up and running(user signs up with email & password). I use the grant type "password" to get access tokens in the android app. However, this approach requires the android app to send the client ID & secret in the request. I read a few posts which suggest that this grant type is not ideal. I dont mind receiving the user's password, but i think storing the client secret in the app is not a good approach.
Another approach would be to use the Authorization Code grant flow, but in this case since i only have a native app & backend APIs, i dont know how to authorize the user. It doesn't seem like a seamless experience for users to see a browser page asking them to authorize the app. Which doesnt make sense also because this is no third party app.
I found a post where people suggest using Authorization Code flow with PKCE. But this apparently doesn't yet work with spring.
So, now i am left wondering how other native mobile apps, handle authentication? Do they not use access token? How best can i support authentication when dealing with a mobile app & spring backend?
Upvotes: 3
Views: 1373
Answers (1)
Reputation: 7707
Spring Security OAuth supports password and authorization_code flows without the client secret, meaning a "public client". Since you own the Authorization Server and the native app and you are okay with the native app taking credentials, it's reasonable to have your native app use a public client with the password grant type.
If you decide that your native app shouldn't take credentials, though, then PKCE is the current best practice. Using the authorization_code flow with a public client is the recommended alternative to PKCE:
In the time since the spec was originally written, the industry best practice has changed to recommend using the authorization code flow with no secret for native apps.
And this would mean, as you mentioned, jumping out to a browser.
Upvotes: 2
Related Questions
- Spring boot Oauth2 grant_type password always return invalid_grant Bad Credentials
- Android Oauth2 to authenticate my Spring Server
- Best oauth2 grant type for mobile application
- Implementing authorization code flow grant type OAuth2
- OAuth 2.0 with Implict Grant type Spring boot app
- Spring security for android app
- oauth2: Android authentication against spring boot
- Spring security oauth2 : grant_type=password Authentication
- grant_type in Spring-Security-OAuth2
- How to use implicit grant type in OAuth 2.0 for mobile apps?