What's the best way of securing my own mobile app using oauth 2?

1
votes

Im trying to build an OAuth 2 provider and for the web server flow its very strait forward but i cant figure out the best way to implement an installed application flow

most examples ive seen follow essentially the web server flow within an embedded browser in the mobile application, this is also generally how facebook and google demonstrate 3rd party apps to use their APIs

but do facebook and googles own mobile applications actually use that flow or is there some better way to implement mobile authentication

my main problem stems mostly from the client id and client secret, if its embedded in every installed version of a mobile app it becomes essentially useless as it can be easily sniffed, and there's no clear oauth 2 examples of having a per application basis for the client secret

so whats the best way of securing my own mobile app using oauth 2

1
facebookoauthoauth-2.0

1 Answers

0
votes

As you probably want to have user-based authorization and do not want to deal with a username/password on client side, this leaves you the choice to using the Implicit Grant flow or the Authorization Code Grant flow (what you call web server flow).

Now check out the OAuth 2 specification's Installed Applications section. There they state:

When choosing between the implicit grant type and the authorization code grant type, the following should be considered:

  • Native applications that use the authorization code grant type SHOULD do so without using client credentials, due to the native application's inability to keep client credentials confidential.
  • When using the implicit grant type flow, a refresh token is not returned, which requires repeating the authorization process once the access token expires.

Whether to use an embedded or an external user-agent is also widely covered by the specification.

For implementing this securely (at least as far as this is technically possible on an open platform), search the specification for the word native and read the sections containing that word multiple times, especially the Client Authentication and Client Impersonation sections.