Menu
OAuth 2.0 in web application works using redirect URI, where Authentication provider redirects to redirect URI & verifies same with registered one which developer provides during app registration before it does redirection with access token.
In case of mobile app, since there is no redirect URI to mobile app how does it work?
If someone gets client id, Can they use same to build duplicate app ? How does security works in above scenario?
685
The OAuth 2.0 implicit grant authorization flow (defined in Section 4.2 of OAuth 2.0 [RFC6749]) generally works with the practice of performing the authorization request in the browser and receiving the authorization response via URI-based inter-app communication.
The client_id is a public identifier for apps. Even though it's public, it's best that it isn't guessable by third parties, so many implementations use something like a 32-character hex string. If the client ID is guessable, it makes it slightly easier to craft phishing attacks against arbitrary applications.
OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.
Custom URI scheme (Android, iOS, UWP) A custom URI scheme is recommended for Android apps, iOS apps, and Universal Windows Platform (UWP) apps.
Because mobile apps cannot guarantee the confidentiality of the client_secret they can use a grant type that doesn't require it. This is the Implicit Grant. The idea is to redirect the mobile browser to the authorization endpoint using response_type=token parameter:
https://example.com/authorize?response_type=token&client_id=CLIENT_ID&redirect_uri=http://REDIRECT_URI
After authenticating the user against the identity provider the browser will be redirected back to the redirect_uri specified in the authorization request and passed an access token:
http://REDIRECT_URI/#token=ACCESS_TOKEN
You can then intercept the request to this specifically crafted url in the browser (by subscribing to the corresponding events that get triggered when the url changes), extract the access token that is passed and use this token to make authenticated requests.
If someone gets client id, Can they use same to build duplicate app ? How does security works in above scenario?
OAuth 2 is not designed to protect the intellectual property of your application. it is an authentication protocol. With or without it, anyone can duplicate your application. The idea is that without the client_secret an application cannot use the grant types that require it and that usually give more permissions and scopes to the issued access tokens.
52
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
