OAuth2 Flow for Mobile Devices
We're currently working on an API that will be consumed by a variety of different devices. We want to use the OAuth2 spec as it defines several flows which were not available in the original OAuth spec. My question is, what flow would work best for a mobile device such as the iPhone or iPad? What flow does an application like Tw开发者_如何转开发eetDeck use?
Looking around the web it seems clients like TweetDeck use the 'Username and Password Credentials Flow" (browserless token exchange). Can anyone provide more information on this topic?
The username and password flow you discuss should only be used if there is a trust between the end-user (mobile device user) and the client requesting auth (the app on the mobile). In this case, it seems reasonable that this trust would exist. What basically happens is that the credentials are sent to the auth server in exchange for an access token.
It is expected that you DO NOT store the credentials. Instead, you should store the access token and the refresh token and use those. The refresh token mechanism is defined in the spec here and using the access tokens is discussed here
Also checkout the device profile at https://datatracker.ietf.org/doc/html/draft-recordon-oauth-v2-device-00
Here, the user sees a unique code on their handset, and is required to enter that code into the browser, while logged in, to authenticate the device.
精彩评论