I am developing a native mobile application on Android which has to interact with a server with oAuth2.0 implementation and using the Google AppAuth library as explained here.
1) What is the purpose of Redirect URI other than getting Authorization code/Access token back to our application. Since Redirect URI to be specified in the authorization request has to be same as the one registered with Google API console, is it also a medium to secure that the control goes back only to the application which registered with the google and nowhere else ?
2) Since I get the access token and refresh token in my mobile application and save it in mobile ( as shown in the codelabs example ) , what if somebody gets hold of my these details of refresh token , client ID and redirect URI. Can somebody access my server using these details on his own device ?
- What is the purpose of Redirect URI other than getting Authorization code/Access token back to our application.
As you say, most IDPs use a whitelist of redirect URIs associated with a particular client ID in order to restrict where codes and tokens can be sent, as a first line of defense against token theft. This works well for the web, where https redirect URIs at least provide some basic safeguards against spoofing.
Until very recently, https redirect URIs were a bad fit for native applications. Android M introduced App Links, which allow apps to claim https authorities in a way that cannot be hijacked by other malicious apps. An alternative technique, PKCE, provides slightly weaker protections but will work on any Android version. PKCE requires support from your authorization endpoint, however.
- if somebody gets hold of my these details of refresh token [...] Can somebody access my server using these details on his own device ?
Generally speaking, yes. If your tokens are leaked to another malicious application, they can use these to access the data those tokens permit access to. "Bearer tokens" like these must remain secret, typically by only transmitting them over an encrypted connection between the issuer of the token and the user of the token.
Standards work on token channel binding is in progress, where tokens can only be used in conjunction with a asymmetric key pair that is generated and stored in a hardware crypto module on the device. Stealing the private key from such modules is very difficult, much more so than just trying to steal the tokens themselves.
I would recommend reading OAuth2 for Native Apps for an overview of the current best practices. To use OAuth2 in your app, I would recommend using the OpenID AppAuth library. Disclaimer: I am the lead maintainer of AppAuth.