1

Say you have a REST API that you want to protect with an OAuth based authentication system. The regular flow using the website I'm using is:

  • user clicks a link to login to google
  • google makes a request to the callback you specified
  • your application responds to the callback by taking the given tokens and requesting the user data, finding what that user data corresponds to on the database and giving you back a session cookie for the web application and an HTML redirect (for example to the home or whatever you prefer)

Basically the callback endpoint transforms google tokens into your web application session cookies.

Now I'm wondering: how would that work for a mobile application that doesn't know anything about cookies or redirects? It could do:

  • on google button click, make HTTP request to the google auth URL
  • google responds with the callback URL you specified
  • the app makes another request to the above mentioned callback URL to your application
  • your application returns a cookie session value and a redirect URL to the homepage
  • the mobile applications forgets about the last redirect URL and takes the cookie session value and uses that for any other requests to the API

Is that right?

Shoe
  • 74,840
  • 36
  • 166
  • 272

1 Answers1

0

One way to do it is that you create an embedded web component on the native mobile UI, you set its URL to the authorization endpoint, the user logs in and authorizes your app, the Authorization Server redirects to your callback URL with an Authorization Token.

Your app subscribes to the changes of the web component, and when it detects the callback URL it takes the Authorization Token, destroy the web component, and calls the REST API to get an Access Token, and then access any protected resources.

Related posts:

Disclaimer: I never implemented this and I don't work with mobile apps, I just got this from reading stuff.

Community
  • 1
  • 1
Leventix
  • 3,789
  • 1
  • 32
  • 41