Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
894 views
in Technique[技术] by (71.8m points)

spring - OAuth2 for mobile apps with simplest client-server architecture?

We have a classical C-S(client-server) architecture, i.e. a mobile app and a business server. We have our own account system (not using 3rd party accounts such as Google/Facebook account). I know I should use OAuth2 for authentication. The problem is, how shall I implement that?

There are two things that I did not found on the Internet:

  1. We are using our own account system - no Google/Facebook account.
  2. The user should input his password in the native app UI, not in a browser webpage embedded in the app.

Questions:

  1. I think we can use the "resource owner password grant" mode. The user inputs password in native UI, then we gather and send a HTTPS request to the server, etc. But I have seen people saying it unsafe... So should I use it?
  2. If we should use the "authorization code" mode, how shall I let the user input his password within the native UI?

Thanks very much!

p.s. If we do not have our own account system and simply rely on Google/Facebook's account, then everything is simple. We can just use any blog or article or answer on the Internet. However we need our own account system.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

The resource owner flow is considered unsafe when used with 3rd party authentication, for example your mobile app is trying to access a file in the user's Dropbox or a Gmail's email. If you own all the parts of the system account system, resources and the app your should be safe with resource owner password flow.

It is a much simpler flow, however it has some drawbacks. Like you won't be able to federate with other 3rd party or enterprise systems, and you can't benefit from a single sign on. If neither of those apply to you go ahead and use resource owner password flow.

You can find a good treatment on the subject here : https://auth0.com/blog/oauth-2-best-practices-for-native-apps/


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...