Menu
We have a pre-existing mobile application. The user will register will his user name and password. Currently we have a custom token based authentication. We would like to switch to OAuth2 with out affecting the user experience. Looks like Resource Owner Password Credentials is most nearest flow for us , but there is a lot of recommendations against using them... Any other recommendataion... We are planning to use IdentityServer4
986
For most cases, we recommend using the Authorization Code Flow with PKCE because the Access Token is not exposed on the client side, and this flow can return Refresh Tokens. To learn more about how this flow works and how to implement it, see Authorization Code Flow with Proof Key for Code Exchange (PKCE).
tldr; Go with Authorization code flow + PKCE
Resource owner password credential grant is there for clients which cannot convert(migrate) to fully OAuth client. Also, be aware that specification strictly mention about trust relationship with client and end user.
From specification
The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.
So what you heard is correct. You must only use this if you are out of options. And mind you, by using this flow you loose the essence of OAuth 2.0. You will expose end user credentials to client.!
Moving to OAuth 2.0
Mobile clients are public clients. Recommended grant for mobile client is authorization code grant type. Also, since its a public client you must use PKCE (Proof Key for Code Exchange by OAuth Public Clients). PKCE adds additional protection layer to authorization code grant type.
Moving to OAuth 2.0 will need changes in your mobile application. You will have to redesign app's login functionality. But don't be afraid, there are lots of good libraries available for OAuth 2.0 with PKCE support. IdentityServer4 too will have support for these protocols.
If you adopt OAuth 2.0, you get the ability to change your authorization server seamlessly (with some configurations). That mean same application can consume users from different authorization servers. So go with Authorization code flow + PKCE
99
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
