What OpenID Connect authorization flow to authenticate mobile app users?

mobile oauth openid openid-connect
15,539

Solution 1

Mobile apps, at least on iOS and Android, can register custom URL schemes so that a redirect from a browser can send the user back to your app along with some query parameters.

So, you can use these flows in a native mobile app, but it involves sending the user to a web browser (either an external browser app or a web view built into your application) in order for them to authenticate with the OP.

A complete article presenting how to implement the "Authorization Code Grant" flow securely on a native mobile app is available here : Building an OpenID Connect flow for mobile. It is based on latest IETF OAuth 2.0 Security Best Current Practice.

Please also note that the use of the "Implicit Grant" flow is now highly discouraged.

Solution 2

I think that the Hybrid flow from the OpenID Connect spec is probably the one which you want to use. OpenID Connect Core Spec.

This does rely upon having a configured return URI, but as James says you would use a custom URI scheme to enable the mobile OS to redirect after login to your own app. Your app would then have an access code which it can use to obtain access tokens as needed (assuming that you are using Oauth2 to protect your back-end API services which the mobile app uses).

There is a vulnerability which would allow a malicious app to hijack your URI scheme and grab the tokens, There is a draft spec to overcome that Proof Key for Code Exchange by OAuth Public Clients which is worth considering implementing.

Share:
15,539
PGleeson
Author by

PGleeson

Developer. Idiot. Optimist.

Updated on June 06, 2022

Comments

  • PGleeson
    PGleeson almost 2 years

    I am building a cross-platform mobile app that interacts with a RESTful API, and I want to use OpenID Connect to authenticate my users. I will be building my own OpenID Connect provider server.

    OpenID.net claims that:

    OpenID Connect allows for clients of all types, including browser-based JavaScript and native mobile apps, to launch sign-in flows and receive verifiable assertions about the identity of signed-in users.

    However, I can't find any documentation explaining how to actually authenticate for a mobile app client.

    This StackExchange answer makes it clear that OpenID Connect does not support the "resource owner password-based grant" flow or the "client credentials" flow.

    That just leaves the "authorization code" flow (normally used by server-side apps) and the "implicit grant" flow (normally used by client-side apps). Both of these seem to rely on redirecting the user to the provider's authorisation endpoint, and having the provider redirect back to the client URL. I don't see how this can apply to a mobile app.

    Can anyone explain to me (or even better, point me at a tutorial or some example code) which explains how to do this?

    Update

    To clarify: OpenID Connect relies on the client redirecting the user to the Authorization Endpoint, and then the provider redirecting the user back to the client. In the case where the client isn't a web app, how can this work?

  • PGleeson
    PGleeson over 9 years
    I'm not sure this helps. The client library is designed for a web app (c.f. github.com/mitreid-connect/simple-web-app). My question is about when your client isn't a web app.
  • PGleeson
    PGleeson about 9 years
    Thanks James. I think you're right, in my case since it's my own app, OIDC isn't the right tool for the job.
  • pawi
    pawi almost 7 years
    Do not forget that 3rd party frameworks used in the 'trusted/own' app can potentially access credentials entered by the user. Use SFSafariViewController approach, which provides the convenience for the user (i.e. staying within the app) and security (app cannot see the credentials entered) plus it provides SSO if there are multiple apps/sites.
  • Dai
    Dai over 5 years
    According to my understanding Hybrid Flow requires the Client to have a Client Secret. This isn't really feasible in cases where the end-user controls the device running the software (e.g. mobile-apps, desktop-apps, single-page application JavaScript apps) in which case just the Authorization Code grant will suffice for mobile-apps (which can safely store a refresh_token) or Implicit Flow (for single-page application apps which cannot be trusted to store any secure state between sessions).
  • Alex White
    Alex White over 5 years
    implicit flow should indeed always be used for browser based OpenID connect. PKCE which i refer to allows the apps to have a secret which prevents other apps from hijacking a response. It is, of course, perfectly possible to use implicit flow for mobile apps.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What's the difference between OpenID and OAuth?
Keycloak Access Token vs UserInfo token?
Refresh token with Keycloak
oAuth ASP.NET Membership Provider
Firebase: This domain is not authorized
IdentityServer Flows
Securly Storing OpenID identifiers and OAuth tokens
Difference between OAuth 2.0 "state" and OpenID "nonce" parameter? Why state could not be reused?
OpenID vs. OAuth
OAuth secrets in mobile apps