Can I use a client side login for OAuth Authorization Code Flow?

Question

All OAutt Authorization code flow examples I've seen sends the user to a specific login page provided by the IDP Server (Identity Provider Server).

https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce

I'm wondering can the login page be on the client itself, as in through an APP or SPA? Or is this something unsecure which I am not aware off. Thank

Answer 1

Usually it is standard to redirect as you say, but security also depends on the credential being used:

• If a user is signing in via their Google password then your app should definitely never see the credentials and you should always redirect
• If the user is signed in via a password stored at Company X, to only access data stored at Company X, and the password is not used for any other purposes, then it is less bad, since the company owns all of the assets involved

People who avoid redirecting usually end up using a deprecated flow such as Resource Owner Password Grant. I would avoid that, since it will not fare well in security reviews and restricts your future authentication options.

To be on the safe side I would recommend sticking to the redirect model, and using a login method provided by the Identity Management System vendor.

FUTURE DIRECTION

Interestingly, there is an emerging trend from some vendors to remain within the app when that makes sense. See the Hypermedia Authentication API, which may become a standard. A key characteristic of this is that the Authorization Server continues to govern security and tell the app what to do.