0

I'm currently implementing a new OAuth 2 server (planning to use Ory Hydra) and this will be the authorisation server for both our developers portal where developers create an app they're given client_id and client_secret and use those for the token exchange but also for our mobile app where users fill their credentials (username and password). The login, logout, forgot password, etc will live in a different server.

Question is, is there a way to prevent having the consent screen as part of the Authorisation Code grant + PKCE? Via the mobile app users are authenticating to have access to their own information from a different service and my understanding of the Authorisation Code grant is that it's meant to be used by third-party apps to gain access to the user information.

I know there are other grant types but it seems that the Authorisation Code + PKCE is the recommended grant for native mobile apps according to this and this

Thanks!

ezekkiel
  • 43
  • 9

2 Answers2

1

With Ory Hydra, you control the user interface so you can decide when to show and when not to show the consent screen.

So it depends how you built your app.

Basically choose a default consent type as outlined in the Implementing Login, Consent & Logout UI tutorial.

And then just skip showing that Consent UI in your app.

vinckr
  • 150
  • 8
0

CONSENT

Usually showing the consent screen is a property of the OAuth Client, though this varies between providers.

This can make sense in some scenarios where personal assets are not being used and the message would not be meaningful to users. For example corporate apps provisioned by an administrator.

MOBILE

You are right to use PKCE - it is standard for all UI flows these days - and recommended in OAuth 2.1 Updates.

Interestingly the consent screen can be useful for getting password autofill to work for mobile apps, so you may want to consider that angle also.

ORY

That looks like a very interesting project - I will take a closer look.

RESOURCES OF MINE

The mobile flow is tricky to implement. If it is useful my blog has some visual iOS and Android posts on the topic:

Gary Archer
  • 22,534
  • 2
  • 12
  • 24