Which OAuth flow should be used for mobile app developed using Ionic Framework?
I am developing a mobile app using Ionic Framework v3. It will be interacting with my authorization server (www.example.com) using REST calls. To make the REST calls more secure I have introduced OAuth and JWT's. But I am unable to decide which OAuth flow to use.
Also note I will be using my own OAuth server and will not be using public servers such as Facebook, Google, etc.
My understanding is it depends on if you're going to deploy your Ionic app as a Web app or a Native app. For Web (SPA) you'll likely use the Implicit flow, and for Native you'll likely use Authorization Code Grant using Proof Key for Code Exchange - PKCE.
I personally use Auth0 for my auth, and I deploy my Ionic app in Web and Native. My app triggers the Implicit flow when in Web and PKCE for Native. Auth0 has some helpful docs here:
https://auth0.com/docs/api-auth/which-oauth-flow-to-use
https://auth0.com/docs/api/authentication#implicit-grant
https://auth0.com/docs/api/authentication#authorization-code-grant-pkce-
Related
I have a web application written in MVC 5 Asp.Net 4.7, C# on Azure App Service. I want to integrate it with a 3rd party web application, via its API, using OAUTH2 whereby the server application punches out to it, causing its Identity Server to acquire user credentials and then to finally issue a Refresh and Access token so my application can make calls on it API.
Now to my question.... As I understand it the recommended OAUTH code flow for this is "Authorisation Code Flow", however the 3rd party wishes me to use "Hybrid Flow" as they have been advised this is more secure. Is this correct? I emphasise this is a web server to web server interchange, apart from the redirection by the 3rd party identiry server for user credentials.
Thank you in advance.
I am trying to develop iOS and Android apps using Gluon Mobile. The apps will have login and I have used JWT approach to login on the server so every request made from the app needs to include JWT token. Now, my question, since this may be platform specific, is how to store and retrieve from storage this token to be used on each requst.
Until now we have implemented an OAuth Workflow with mobile app and web-based login for LinkedIn with the help of (https://github.com/tonyli508/LinkedinSwift). Due to LinkeIn API change to V2 on 1.3.2019 we updated our app to use browser-based OAuth 2.0 workflow for LinkedIn using REST-Interface API V2, an embedded UIWebView and intercepting the request to get the token, because LinkedinSwift uses the mobile ios SDK of LinkedIn and does not support API V2.
The LinkeIn website for the SDK (https://developer.linkedin.com/docs/ios-sdk) says "The Mobile SDK is not currently supported". Following the Link, only the REST API is documented.
Question:
Did anybody manage to use a installed LinkedIn app for authorization and using API V2?
Linkedin App does not provide any Deeplinks, and they want developers to use the SDK, but the LinkedIn API has been largely closed off and is only available to approved LinkedIn developers. You can request authorization here - https://business.linkedin.com/marketing-solutions/marketing-partners/become-a-partner/marketing-developer-program
What I am trying to do is use WebAPI to authenticate both an MVC application and a mobile app using Token based auth. I currently have the MVC application authenticating with the database directly using the standard .NET SignInManager code the VS generates. I have my WebAPI in a different project and will reside in a different website.
I have the mobile app using the API for token based auth. What I am trying to do now is move the MVC app to use this same auth. I am hoping to using the SignInManager as I am now and just change the underlying auth location to the API using tokens. I am doing this to authenticate the user in the MVC application and also using the token from the API to secure the API.
I not sure that this is a good idea or what the best way to accomplish this is. It may be a bad idea. Maybe I should merge the API and MVC applications into the same project? Any feedback or ideas would be great.
If this does not make sense, please let me know.
The idea of a Web Api is the possibility to use a Service with multiple clients, i.e. an Angular Web App a Xamarin Mobile App and a Console App, all of them consuming the services of the API using the same Auth Method, usually Token based, conceptually that is the idea.
Now in your scenario you created a MVC Web App and then a Mobile App but for the mobile app you created also a Web Api, so basically you have two places where you put your Business Logic.
What I would recommend is to move and centralize everything in your Web Api and use that Auth only so in your MVC client project you just store your token as you do in your mobile App.
I am building an OAuth2 API for my program. But I don't know how the flow works for using the same API on the main website for the app? Would I just use the normal authentication route? I think it would seem odd to see that the trusted name app is wanting access to information, when its not a third party.