Identity Server : Grant Type for native mobile apps

1
votes

I have implemented an Identity Server4 and it looks great. Now, I have a requirement to connect a native mobile app(xamarin) to it.Most of the blogs and discussions suggest to use either "Authorization Code" or "Hybrid" flow, and the xamarin example in the github uses "Implicit" flow.

I have been through this documentation on Authorization flow and it does not talk anything about username or password. https://identityserver4.readthedocs.io/en/release/endpoints/authorize.html

What I need is to allow the user to supply his/her username and password to the authentication server, and the server should ultimately give back the access code.

  1. Which will be the most appropriate authentication flow for this.
1
oauthidentityserver3openid-connectidentityserver4
Hi, What did you end up doing? I'm in kind of the same setup. Xamarin setup with webapi and identityserver. I have the need for both username/password and facebook login. I want thefacebook login to be handled like native so I end up with a token for facebook, and from there I want to hand it over to IdentityServer.. - Rasmus Christensen

1 Answers

6
votes

There are two "mindsets" -

a) the login UI is native in the application

b) the login UI is rendered from the OpenID Connect in a browser

Generally b) is recommended - check the spec:

https://tools.ietf.org/wg/oauth/draft-ietf-oauth-native-apps/

I also did a talk about that last year:

https://vimeo.com/171942749

If you absolutely don't want the redirect/server-based approach, then research the "resource owner password grant" - e.g. here:

https://identityserver4.readthedocs.io/en/release/quickstarts/2_resource_owner_passwords.html

But, I would not recommend it.