OAuth 2.0 for Native Apps is-was an Internet Draft https://tools.ietf.org/html/draft-ietf-oauth-native-apps-03
Summary #At the time of writing, many native apps are still using WebViews, a type of embedded user-agent, for OAuth 2.0. These embedded user-agents are however unsafe for use by third-parties by definition.
The WebView approach has multiple drawbacks, including:
- the client app being able to eavesdrop user credentials
- is a suboptimal user experience as the authentication session can't be shared (ie no Single Sign-On)
- Authentication must be performed to each app separately.
Inter-process communication, such as OAuth 2.0 Protocol Flows between a Native applications and the system browser can be achieved through URI-based communication. As this is exactly how OAuth works for web-based OAuth flows between OAuth Client and Identity Provider (IDP) websites, OAuth can be used for Native application auth with very little modification.
OAuth 2.0 for Native Apps also documents:
- Using Custom URI schemes for Redirection
- Authorization servers SHOULD support Loopback URI Redirection on the loopback IP address and HTTP scheme