I am currently implementing federated login using OAuth 2.0. This is for a website and a client which has an iOS, android and windows phone / store implementation. For more information; the clients are implemented in Xamarin, however I don’t think this is critical to this question.
Requirements:
- On the website, the user can select to authenticate against Facebook, google, live or an internal account.
- Must be as secure as possible
- To persist the logged in state for as long as possible to minimise the need for the user to re-authenticate (I believe Facebook is 60 days for a long-lived token)
- Because we want to store the final token server-side for offline access and token renewal, we would want to use the explicit flow (response_type=code, AKA server-side flow), where you get an access code which is then redeemed for an auth token.
- For the clients, ideally, rather than opening the web flow for authentication, using e.g. WebAuthenticationBroker or Xamarin.Auth, it would be preferable to use a native component – this would allow the OS to remember the users credentials and also offer a much better “look and feel”
Taking Facebook as one example, if I used the Facebook SDK, it would be using the implicit OAuth flow, and so I would not get the code I need (See: https://components.xamarin.com/view/facebookios). Am I missing something, or is there a way to pass ‘response_type=code’ using a native Facebook component? Should I in fact just be sending the implicit flow’s access token to our service instead and are there any disadvantages of this?
Am I going to need to implement the flow manually? Something like:
I have read the following additional articles, but still not sure I understand the best course of action:
