开发者

OAuth2 Flow for Mobile Devices

We're currently working on an API that will be consumed by a variety of different devices. We want to use the OAuth2 spec as it defines several flows which were not available in the original OAuth spec. My question is, what flow would work best for a mobile device such as the iPhone or iPad? What flow does an application like Tw开发者_如何转开发eetDeck use?

Looking around the web it seems clients like TweetDeck use the 'Username and Password Credentials Flow" (browserless token exchange). Can anyone provide more information on this topic?


The username and password flow you discuss should only be used if there is a trust between the end-user (mobile device user) and the client requesting auth (the app on the mobile). In this case, it seems reasonable that this trust would exist. What basically happens is that the credentials are sent to the auth server in exchange for an access token.

It is expected that you DO NOT store the credentials. Instead, you should store the access token and the refresh token and use those. The refresh token mechanism is defined in the spec here and using the access tokens is discussed here


Also checkout the device profile at https://datatracker.ietf.org/doc/html/draft-recordon-oauth-v2-device-00

Here, the user sees a unique code on their handset, and is required to enter that code into the browser, while logged in, to authenticate the device.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜