Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth2 Flow for Mobile Devices

We're currently working on an API that will be consumed by a variety of different devices. We want to use the OAuth2 spec as it defines several flows which were not available in the original OAuth spec. My question is, what flow would work best for a mobile device such as the iPhone or iPad? What flow does an application like TweetDeck use?

Looking around the web it seems clients like TweetDeck use the 'Username and Password Credentials Flow" (browserless token exchange). Can anyone provide more information on this topic?

like image 326
Bart Jedrocha Avatar asked Jun 15 '10 14:06

Bart Jedrocha


1 Answers

The username and password flow you discuss should only be used if there is a trust between the end-user (mobile device user) and the client requesting auth (the app on the mobile). In this case, it seems reasonable that this trust would exist. What basically happens is that the credentials are sent to the auth server in exchange for an access token.

It is expected that you DO NOT store the credentials. Instead, you should store the access token and the refresh token and use those. The refresh token mechanism is defined in the spec here and using the access tokens is discussed here

like image 190
NG. Avatar answered Sep 30 '22 13:09

NG.