What OAuth flow to use for IONIC2 app and Identity Server4

Question

I've been researching oauth 2 and IdentityServer4 for the past day and a half and can say that I think the preferred method to use in this scenario would be hybrid flow. It seems that in the past it was implicit due to the fact that a mobile client can't protect a secret. Then it appeared to have changed to authorization flow without a secret... (no idea how that would work)

My understanding of IONIC and other cross platform frameworks is that they work by embedding the application inside of a web view and hence this is where my confusion sets in. Technically speaking, hybrid flow is recommended for native apps and IONIC is not something that allows you to build native apps.

If the recommended flow for native apps is hybrid, but you are using IONIC and hence not building a native app, then does the hybrid flow still apply?

Again, my guess is that it does, because since this is going to be an app running locally on an end user's machine then the secret is NOT safe there.

This also confuses me a bit more because there are other flows, for example: credential based flows where one must supply a username and password. This confuses me because this is generally how one would want users to authenticate in a mobile app. Hybrid flow seems to be a flow that does not require a username and password..

I am coming from an MVC4 owin background.

My basic architecture plan is like this

• Auth server
• API
• IONIC app

Answer 1

Ionic apps for mobile should be treated as native apps and the recommended flow by OIDC standards for mobile is to use Hybrid+PKCE.

Have a look here

If you want an idea of how to setup the Client for ionic on IdentityServer4 check the sample here. Don't mind xamarin just focus on the IdentityServer part.