Reputation: 13
What is the alternative to the Resource Owner Password Credentials grant type?
I have my REST API server which stores user data and handles all the requests. The front-end lives on another server and then there's also a mobile app. I would like to integrate OAuth2 but have my doubts on what grant type to choose. On one hand, the ROPC grant type is best in my situation since I don't allow any third party apps, and I don't want user to be redirected anywhere and the user never gets to use my endpoints directly, only with some kind of interface (front-end, or mobile GUI). So, what are the possible options here?
Upvotes: 0
Views: 1363
Answers (1)
Reputation: 159
Normally Authorization-Code Grant is the way to go. I assume you are asking this question, because you heard that ROPC is rather unsafe to use and should be avoided when possible? And that would be true. Use Authorization Code Grant. Better: use Authorization Code Grant with PKCE. (PKCE is mandatory on mobile Apps and a good practice on WebApps too) I know that the Authorization Code can seem complicated at first, but it is really the way to go with OAuth.
Upvotes: 1
Related Questions
- Is "Resource Owner Password Credentials" safe in OAuth2?
- What is the purpose of Resource Owner Password Credential Grant Type in OAuth 2.0?
- Why does OAuth 2 have Resource Owner Password Credentials Grant?
- Combine oAuth 2.0 Client Credentials and Resource Owner Password Credentials Grant Types for API?
- Authentication using Resource Owner Password Credentials in Rails
- Secure Oauth 2.0 Resource Owner Password Credentials Grant Type
- OAuth2 User Credentials Grant
- OAUth 2 Resource Owner Password Grant Type for Javascript client
- Implement OAuth2 with resource owner password credentials on Android
- How to keep the client credentials confidential, while using OAuth2's Resource Owner Password Credentials grant type