Authentication via social providers for mobile application

Question

How can I authenticate my mobile app(flutter) against social providers while using a flow provided by an IdentityServer4 system?

I'm trying to build a mobile app which will authenticate a user via Azure AD b2c. This question will be valid for any provider of an IdentityServer4 service though. For mobile apps, everything I read suggests using the Resource Owner Password Credentials(ROPC) flow. My understanding is that ROPC does not allow for social providers to be authenticated with. Is there an alternative flow to use specifically for social providers authentication? Is my understanding of ROPC wrong? I know mobile apps can authenticate with social providers, I've seen enough do it.

Answer 1

If you want to authenticate social providers and the users of mobile application, you could use auth code flow via Azure AD B2C. You can use it for authentication and authorization in most application types, including web applications and natively installed applications.

About Resource Owner Password Credentials (ROPC) flow, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used. It is not recommended.

Update:

How does the auth code flow work for mobile authentication when it needs a redirect uri to send the resulting token to? This seems similar to the implicit flow for websites.

They are similar, but they apply different application types. You could learn more about the flow(auth code flow, implact flow). The docs are about AzureAD, but the processes are the same as B2C.

The protocol diagram of auth code flow is this:

The protocol diagram of implicit flow is this: