Overview[1]#

OAuth 2.0 (RFC 6749) authorization framework, documents two approaches in Section 9 for Native applications to interact with the Authorization_endpoint:

OAuth 2.0 for Native Apps is-was an Internet Draft https://tools.ietf.org/html/draft-ietf-oauth-native-apps-03

Summary #

At the time of writing, many native apps are still using WebViews, a type of embedded user-agent, for OAuth 2.0. These embedded user-agents are however unsafe for use by third-parties by definition.

They involve the user Authentication with their full login credentials, only to have them downscoped to less powerful OAuth 2.0 credentials. (Remember OAuth 2.0 NOT an Authentication protocol)

The WebView approach has multiple drawbacks, including:

OAuth 2.0 for Native Apps document recommends External User-Agents like Chrome Custom Tabs or SFSafariViewController as the only secure and usable choice for OAuth 2.0

OAuth 2.0 Protocol Flows between a Native application and the system browser (or another external user-agent) are:

Inter-process communication, such as OAuth 2.0 Protocol Flows between a Native applications and the system browser can be achieved through URI-based communication. As this is exactly how OAuth works for web-based OAuth flows between OAuth Client and Identity Provider (IDP) websites, OAuth can be used for Native application auth with very little modification.

OAuth 2.0 for Native Apps also documents:

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 22-Jul-2016 05:13 by jim