Three legged oauth flow on mobile app

Question

I have a 3-legged auth flow working on a web app of mine. It goes as follows:

• Use clicks Connect with Google
• They accept on the OAuth dialog that Google Provides
• The page gets redirect to my backend's /oauth/google endpoint with a code parameter which I send to Google to get a refresh_token so I can access data (like calendar info) on their behalf
• I redirect back to the web app passing my own JWT token in the URL.
• Whenever the web app makes a request like api.mybackend.com/me they use the JWT token I provided

I'm trying to accomplish something similar in a mobile app. What's the acceptable way to do this? Is it pretty much the same logic?

If it helps, my backend is Ruby on Rails and I'm writing the mobile app in Swift.

Thanks!

Answer 1

If you're using NSURLSession to make HTTP requests, then see this for information about handling redirects.

Google also has some pre-built Google Sign-In packages for iOS and Android that you can include in your app, similar to the one in your web client. I've never used them though, so I don't how exactly they'd integrate with you app.

Alternatively you can set up an authentication endpoint in your backend that handles the whole thing, with the app only ever making one request to your server and your server handling communication with Google. So, for example, you could have the user submit a request to /oauth/mobile. The server then submits an authentication request to Google and gets an access token and a refresh token. Then you can return your own app's token from the server. Google has some documentation on Google Sign-In for server-side apps that may be relevant.