4

We know:

In the OAuth 2.0 in Authorization Code Flow there are several entity:

  • A) User
  • B) User Agent (Browser)
  • C) Client App (Mobile App)
  • D) Confidential Client (Middleman Web Server)
  • E) Authorization Server

Also we know that the the Web Server keep the Client Secret and the /token route of Authorization Server need Authorization Code and Client Secret to return the Access Token.

My Question:

When the User login to the Authorization Provider by browser and Authorization Server return the Authorization Code to the redirect URL (to the Web Server) which one of the following ways exactly SHOULD be done? Why?

X)

  1. The Web Server should return the Authorization Code as a response to the Browser in appropriate deep-linking format.
  2. The Browser open the Mobile App and pass the Authorization Code to it
  3. The Mobile App use PKCE to send the Authorization Code to the Web Server (by calling an API) and the Web Server sends the request to Authorization Server to get the Access token and it will be return to the Mobile App.

Y)

  1. The Web Server should get the Access Token by the received Authorization Code and return the Access Token as a response to the browser in deep-linking format.
  2. The Browser open the Mobile App and pass the Access Token to it.

I have seen the bellow diagram here:

enter image description here

And think the correct way is X because in the X way the Mobile App get the Access Token directly by API without the Browser deep-linking and X is secure. But I need a valid document and reference to official documentation in the answers.

I want to be sure... Which one is correct way? X or Y?

  .

Community
  • 1
  • 1
Ramin Bateni
  • 16,499
  • 9
  • 69
  • 98

1 Answers1

2

Discalimer: I'm not a mobile app developer.

I think X is correct because:

  1. Adhere to the standard flow
  2. Get the access_token from WebServer and then redirect to the app is not secure because the token is in clear format (url) and can be potentially intercepted or logged.
  3. I think point 6 on design can be performed by a POST ? request and values are in the body of the response (no logging) and also you can use PKCE for better security.

Other useful links:
oAuth2 for native app
oAuth2 Best pratices for native apps

Max
  • 6,821
  • 3
  • 43
  • 59