5

I have read a tutorial regarding OAuth 2.0 and implicit grant type. I still don't understand how implicit grant type will work for mobile (iOS or Android). For example if we create an SSO App (like Facebook) and make an SDK to give this service. Does the SSO app contacts the Authorization server pragmatically or via a web view?

Also another point is that - implicit grant type requires you to send a Redirect URI. I understand that you can make a custom uri schema for iOS and do this. What I don't understand is how the authorization server calls a custom URI on the device.

Chan
  • 2,601
  • 6
  • 28
  • 45

2 Answers2

6

For Oauth2 in mobile apps you can set your redirect_uri to some dumy URL like http://localhost/redirect/ and then use the webview's "onload" event to check the URL for access_token

For example in iOS, you can load the authorization url in webview, and use delegate method to check the redirect_uri for access_token like this:

- (BOOL)webView:(UIWebView *)webView shouldStartLoadWithRequest:(NSURLRequest *)request navigationType:(UIWebViewNavigationType)navigationType {
    NSURL *Url = [request URL];
    ...
}

You can also do this in Phonegap app with HTML5/JavaScript using InAppBrowser:

var loginWindow = window.open(login_url, '_blank', 'location=yes');
$(loginWindow).on('loadstart', function(e) {
    var url = e.originalEvent.url;
    var access_token = url.split("access_token=")[1];
    ...
}

full code here: https://github.com/krisrak/jquery-cordova-oauth2

krisrak
  • 12,882
  • 3
  • 32
  • 46
0

The implicit grant type isn't well suited for mobile apps. This is what the corresponding RFC (RFC 6749) has to say about it:

The implicit grant is a simplified authorization code flow optimized for clients implemented in a browser using a scripting language such as JavaScript.

For a mobile app, you're better off with the Resource Owner Password Credentials flow if you're making the official app for your own service, or the Authorization Code flow if you're accessing a third-party web service.

BadIdeaException
  • 2,125
  • 15
  • 32
  • Then what about the part regarding Custome URI of iOS and web authorization urls for Android? Also the referred tutorial mentions about using implicit grant type for mobile apps. – Chan Mar 11 '14 at 17:52
  • The RFC is in regards to unsecured credentials as a whole, so you are incorrect in stating that implicit grant type isn't well suited for mobile apps. This not only includes browser scripts like JS, but also (and not limited to) mobile apps that call directly, IoT that call directly, etc. But you're right in that a trusted app is more easily accommodated for via ROPC or Auth Code (depending on whether the app is trusted with the user credentials). – akoo1010 Jul 13 '15 at 23:38
  • 1
    You can not safely store the client_secret when developing for mobile and when using the password grant type. – Jdruwe Oct 08 '15 at 17:04