Which OAuth flow should be used for mobile app developed using Ionic Framework?

Question

Which OAuth flow should be used for mobile app developed using Ionic Framework?

I am developing a mobile app using Ionic Framework v3. It will be interacting with my authorization server (www.example.com) using REST calls. To make the REST calls more secure I have introduced OAuth and JWT's. But I am unable to decide which OAuth flow to use.

Also note I will be using my own OAuth server and will not be using public servers such as Facebook, Google, etc.

Answer 1

My understanding is it depends on if you're going to deploy your Ionic app as a Web app or a Native app. For Web (SPA) you'll likely use the Implicit flow, and for Native you'll likely use Authorization Code Grant using Proof Key for Code Exchange - PKCE.

I personally use Auth0 for my auth, and I deploy my Ionic app in Web and Native. My app triggers the Implicit flow when in Web and PKCE for Native. Auth0 has some helpful docs here:

• https://auth0.com/docs/api-auth/which-oauth-flow-to-use
• https://auth0.com/docs/api/authentication#implicit-grant
• https://auth0.com/docs/api/authentication#authorization-code-grant-pkce-