Search code examples
mobileoauth-2.0identityserver4

OAuth2 flow for mobile app

We have a pre-existing mobile application. The user will register will his user name and password. Currently we have a custom token based authentication. We would like to switch to OAuth2 with out affecting the user experience. Looks like Resource Owner Password Credentials is most nearest flow for us , but there is a lot of recommendations against using them... Any other recommendataion... We are planning to use IdentityServer4

Solution

  • tldr; Go with Authorization code flow + PKCE

    Resource owner password credential grant is there for clients which cannot convert(migrate) to fully OAuth client. Also, be aware that specification strictly mention about trust relationship with client and end user.

    From specification

    The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.

    So what you heard is correct. You must only use this if you are out of options. And mind you, by using this flow you loose the essence of OAuth 2.0. You will expose end user credentials to client.!

    Moving to OAuth 2.0

    Mobile clients are public clients. Recommended grant for mobile client is authorization code grant type. Also, since its a public client you must use PKCE (Proof Key for Code Exchange by OAuth Public Clients). PKCE adds additional protection layer to authorization code grant type.

    Moving to OAuth 2.0 will need changes in your mobile application. You will have to redesign app's login functionality. But don't be afraid, there are lots of good libraries available for OAuth 2.0 with PKCE support. IdentityServer4 too will have support for these protocols.

    If you adopt OAuth 2.0, you get the ability to change your authorization server seamlessly (with some configurations). That mean same application can consume users from different authorization servers. So go with Authorization code flow + PKCE