发表新帖
发表新帖

What's the right OAuth 2.0 flow for a mobile app

后端 未结
关注
5 1443
离开以前
离开以前 2020-11-28 00:41

I am trying to implement delegated authorization in a Web API for mobile apps using OAuth 2.0. According to specification, the implicit grant flow does not support refresh t

5条回答
  • 鱼传尺愫
    鱼传尺愫 (楼主)
    2020-11-28 01:20

    TL;DR: Use Authorization Code Grant with PKCE

    1. Implicit Grant Type

    The implicit grant type is quite popular with mobile apps. But it was not meant to be used like this. There are security concerns around the redirect. Justin Richer states:

    The problem comes when you realize that unlike with a remote server URL, there is no reliable way to ensure that the binding between a given redirect URI and a specific mobile application is honored. Any app on the device can try to insert itself into the redirection process and cause it to serve the redirect URI. And guess what: if you’ve used the implicit flow in your native application, then you just handed the attacker your access token. There’s no recovery from that point — they’ve got the token and they can use it.

    And together with the fact, that it does not let you refresh the access token, better avoid it.

    2. Authorization Code Grant Type

    The authorization code grant requires a client secret. But you should not store sensitive information in the source code of your mobile app. People can extract them. To not expose the client secret, you have to run a server as a middleman as Facebook writes:

    We recommend that App Access Tokens should only be used directly from your app's servers in order to provide the best security. For native apps, we suggest that the app communicates with your own server and the server then makes the API requests to Facebook using the App Access Token.

    Not an ideal solution but there is new, a better way to do OAuth on mobile devices: Proof Key for Code Exchange

    3. Authorization Code Grant Type with PKCE (Proof Key for Code Exchange)

    Out of the limitations, a new technique was created that let you use the Authorization Code without a client secret. You can read the full RFC 7636 or this short introduction.

    PKCE (RFC 7636) is a technique to secure public clients that don't use a client secret.

    It is primarily used by native and mobile apps, but the technique can be applied to any public client as well. It requires additional support by the authorization server, so it is only supported on certain providers.

    from https://oauth.net/2/pkce/

    0 讨论(0)
 看不清?
提交回复
热议问题