Should I use OAuth (or what else) for the backend of a mobile app? - There is only one "third-party" application in such cases

java spring authentication flutter oauth

123

If your authentication system supports OAuth by all means use it. The advantage of OAuth is standardization. Using standard protocols has a lot of advantages. The most important one is that it is very hard to come up with a bullet proof authentication system. A lot of high profile hacks in the last decade are attributed to home grown authentication protocols.

Another advantage of using OAuth or another widely accepted protocol, is availability of the libraries. You can find an OAuth library for any platform and any language these days.

Just keep in mind OAuth is not the only game in town. There are other fine protocols out there. Probably the most bullet proof out there is a mTLS. It requires robust Public Key Infrastructure, but it is probably the hardest to hack. If you are in the old school environment with Active Directory and writing an internal app, consider Kerberos. And finally there is SAML which is very enterprisy and a pain to work with, but it is a bit more flexible than plain OAuth.

123

Author by

ch271828n

Hello, world :)

Updated on December 18, 2022

Comments

ch271828n over 1 year

I am developing a mobile app and its backend (Java). How shall I authenticate the users (using our own account system, not things like Google/GitHub accounts)? One way is to create an OAuth2 server. However, my backend is not a giant, and I only have one "third-party application" in the definition of OAuth...

So I wonder what is the best way of authentication in such an mobile app? Thanks!

P.S. Another idea is to use cookies, just like the old days when developing browser webpages. But I seldom see apps doing this way. I see most of them sending Authorization: Bearer the_token_values...

^{P.S.2 I am using Flutter and Java Spring.}
ch271828n about 4 years

Thanks very much! My main concern is that the OAuth is too "heavy", since we need to set up an authentication server in addition to writing some Java Spring code. Originally I thought that the authentication is soooo mature that it should be done "in one click" instead of setting up separate servers etc :)
ch271828n about 4 years

By the way, about authentication server, could you please suggest some, thanks! (I have searched and see keycloak, but do not know whether it is the best)
Vlad about 4 years

Depends on your environment. Never used Keycloak, but heard about it. I mostly use enterprise servers, like ADFS and Auth0 on prem. For the open source ones look at IdentityServer (.NET based, doesn't come with pre-built UI), OpenAM ( very old, but still kicking supports tons of protocols), go-oauth and light Oauth are pretty good too.
ch271828n about 4 years

@Viad Hi I am confused about some simple details... Could you please kindly give an answer? Thanks very much! The question link ----> stackoverflow.com/q/61313694/4619958