1

We have a classical C-S(client-server) architecture, i.e. a mobile app and a business server. We have our own account system (not using 3rd party accounts such as Google/Facebook account). I know I should use OAuth2 for authentication. The problem is, how shall I implement that?

There are two things that I did not found on the Internet:

  1. We are using our own account system - no Google/Facebook account.
  2. The user should input his password in the native app UI, not in a browser webpage embedded in the app.

Questions:

  1. I think we can use the "resource owner password grant" mode. The user inputs password in native UI, then we gather and send a HTTPS request to the server, etc. But I have seen people saying it unsafe... So should I use it?
  2. If we should use the "authorization code" mode, how shall I let the user input his password within the native UI?

Thanks very much!

p.s. If we do not have our own account system and simply rely on Google/Facebook's account, then everything is simple. We can just use any blog or article or answer on the Internet. However we need our own account system.

ch271828n
  • 15,854
  • 5
  • 53
  • 88
  • 1
    Based on the info you provided, it sounds like you don't actually need oauth2 (which is not an authentication protocol btw), and you would just be introducing unnecessary complexity with oauth2. – Gabor Lengyel Apr 20 '20 at 01:28
  • @GaborLengyel Er so which method shall I use? People have told me in this [link](https://stackoverflow.com/questions/60611240/should-i-use-oauth-or-what-else-for-the-backend-of-a-mobile-app-there-is-on) that I should use OAuth, so I am really confused...Thanks! – ch271828n Apr 20 '20 at 01:30
  • 1
    Well tbh I missed the part it was a mobile app. For that you would need tokens, and from there the other question's accepted answer is right, oauth2 is a standard solution with well known libraries. (If it was a regular web app, all you needed would be a plain old session.) I'm not a java expert, so I don't know what else should be considered for a well known token authentication solution in Java. It also depends on the workflow you want to achieve (is it ok to provide password in a browser once, then use the native ui, etc). – Gabor Lengyel Apr 20 '20 at 01:40
  • @GaborLengyel Thanks! Er imho I am confused how to do the *mobile app* side, not the server side (since I will use the standard libraries), and the languages does not matter, it is just logic... So could you please provide some advice? Thanks! – ch271828n Apr 20 '20 at 01:43

1 Answers1

1

The resource owner flow is considered unsafe when used with 3rd party authentication, for example your mobile app is trying to access a file in the user's Dropbox or a Gmail's email. If you own all the parts of the system account system, resources and the app your should be safe with resource owner password flow.

It is a much simpler flow, however it has some drawbacks. Like you won't be able to federate with other 3rd party or enterprise systems, and you can't benefit from a single sign on. If neither of those apply to you go ahead and use resource owner password flow.

You can find a good treatment on the subject here : https://auth0.com/blog/oauth-2-best-practices-for-native-apps/

Vlad
  • 9,180
  • 5
  • 48
  • 67
  • Thank you very much! Yes I do not need other parties logging in, neither do I need SSO. I will have a look at the link. Thanks! – ch271828n Apr 20 '20 at 04:03