We're currently working on an API that will be consumed by a variety of different devices. We want to use the OAuth2 spec as it defines several flows which were not available in the original OAuth spec. My question is, what flow would work best for a mobile device such as the iPhone or iPad? What flow does an application like TweetDeck use?
Looking around the web it seems clients like TweetDeck use the 'Username and Password Credentials Flow" (browserless token exchange). Can anyone provide more information on this topic?
The username and password flow you discuss should only be used if there is a trust between the end-user (mobile device user) and the client requesting auth (the app on the mobile). In this case, it seems reasonable that this trust would exist. What basically happens is that the credentials are sent to the auth server in exchange for an access token.
It is expected that you DO NOT store the credentials. Instead, you should store the access token and the refresh token and use those. The refresh token mechanism is defined in the spec here and using the access tokens is discussed here
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With