Menu
In the OAuth 2.0 in Authorization Code Flow there are several entity:
UserBrowser)Mobile App)Web Server)Authorization ServerAlso we know that the the Web Server keep the Client Secret and the /token route of Authorization Server need Authorization Code and Client Secret to return the Access Token.
When the User login to the Authorization Provider by browser and Authorization Server return the Authorization Code to the redirect URL (to the Web Server) which one of the following ways exactly SHOULD be done? Why?
Web Server should return the Authorization Code as a response to the Browser in appropriate deep-linking format.Browser open the Mobile App and pass the Authorization Code to itMobile App use PKCE to send the Authorization Code to the Web Server (by calling an API) and the Web Server sends the request to Authorization Server to get the Access token and it will be return to the Mobile App.Web Server should get the Access Token by the received Authorization Code and return the Access Token as a response to the browser in deep-linking format.Browser open the Mobile App and pass the Access Token to it.I have seen the bellow diagram here:
And think the correct way is X because in the X way the Mobile App get the Access Token directly by API without the Browser deep-linking and X is secure. But I need a valid document and reference to official documentation in the answers.
.
373
Discalimer: I'm not a mobile app developer.
I think X is correct because:
Other useful links:
oAuth2 for native app
oAuth2 Best pratices for native apps
174
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
