OAuth2 for mobile apps with simplest client-server architecture?

Question

We have a classical C-S(client-server) architecture, i.e. a mobile app and a business server. We have our own account system (not using 3rd party accounts such as Google/Facebook account). I know I should use OAuth2 for authentication. The problem is, how shall I implement that?

There are two things that I did not found on the Internet:

1. We are using our own account system - no Google/Facebook account.
2. The user should input his password in the native app UI, not in a browser webpage embedded in the app.

Questions:

1. I think we can use the "resource owner password grant" mode. The user inputs password in native UI, then we gather and send a HTTPS request to the server, etc. But I have seen people saying it unsafe... So should I use it?
2. If we should use the "authorization code" mode, how shall I let the user input his password within the native UI?

Thanks very much!

_{p.s. If we do not have our own account system and simply rely on Google/Facebook's account, then everything is simple. We can just use any blog or article or answer on the Internet. However we need our own account system.}

Answer 1

The resource owner flow is considered unsafe when used with 3rd party authentication, for example your mobile app is trying to access a file in the user's Dropbox or a Gmail's email. If you own all the parts of the system account system, resources and the app your should be safe with resource owner password flow.

It is a much simpler flow, however it has some drawbacks. Like you won't be able to federate with other 3rd party or enterprise systems, and you can't benefit from a single sign on. If neither of those apply to you go ahead and use resource owner password flow.

You can find a good treatment on the subject here : https://auth0.com/blog/oauth-2-best-practices-for-native-apps/