问题
We have a classical C-S(client-server) architecture, i.e. a mobile app and a business server. We have our own account system (not using 3rd party accounts such as Google/Facebook account). I know I should use OAuth2 for authentication. The problem is, how shall I implement that?
There are two things that I did not found on the Internet:
- We are using our own account system - no Google/Facebook account.
- The user should input his password in the native app UI, not in a browser webpage embedded in the app.
Questions:
- I think we can use the "resource owner password grant" mode. The user inputs password in native UI, then we gather and send a HTTPS request to the server, etc. But I have seen people saying it unsafe... So should I use it?
- If we should use the "authorization code" mode, how shall I let the user input his password within the native UI?
Thanks very much!
p.s. If we do not have our own account system and simply rely on Google/Facebook's account, then everything is simple. We can just use any blog or article or answer on the Internet. However we need our own account system.
回答1:
The resource owner flow is considered unsafe when used with 3rd party authentication, for example your mobile app is trying to access a file in the user's Dropbox or a Gmail's email. If you own all the parts of the system account system, resources and the app your should be safe with resource owner password flow.
It is a much simpler flow, however it has some drawbacks. Like you won't be able to federate with other 3rd party or enterprise systems, and you can't benefit from a single sign on. If neither of those apply to you go ahead and use resource owner password flow.
You can find a good treatment on the subject here : https://auth0.com/blog/oauth-2-best-practices-for-native-apps/
来源:https://stackoverflow.com/questions/61313694/oauth2-for-mobile-apps-with-simplest-client-server-architecture