OAuth 2.0 for desktop and mobile applications

Question

I'm doing research on OAuth 2.0 protocol.

I came stuck in the problem of generating bearer tokens for desktop/mobile applications that don't run on a web server.

The OAuth 2.0 protocol flow is clear to me for web applications. Suppose myapp.com wants to access protectedresource.com on behalf of user Alice, then Alice gets redirected to https://protectedresource.com/oauth?redirect_uri=https://myapp.com/oauth&[...] so the resource manager, after obtaining consent, redirects Alice's browser to a page that will collect the authorization code and use it to obtain the bearer token.

This works fine and secure because protectedresource.com recognizes myapp.com domain and releases the bearer token only to requests coming from myapp.com

If I'm running a desktop application, even with support of a browser (ie embed an HTML viewer in a Windows Form or something like that) where am I supposed to redirect Alice after consent??

Who collects the authorization code? How does the control flow change?

Does anybody have examples of OAuth 2.0 implementations running on desktop or Android?

Answer 1

The OAuth wiki lists numerous options you can use, all of which have downsides. The simplest involves you running a web app that can display the token to the user, and then the user copies the token (and maybe the refresh token) into your desktop app.

If you have plenty of time then you could investigate registering a custom URI with the desktop operating system, and then use that as the redirect_uri to automatically transfer back to your app from the browser. This has the best user experience.

A malicious app can easily pretend to be your desktop app in these scenarios, and security relies on your users not installing malicious apps.