I've been trying to come up with a solution to this problem for the last couple of days, but now I'm out of ideas. Basically, I need to authenticate users of my mobile app (it uses expo) via legacy university API that uses OAuth1.0a instead of OAuth2.
The workflow looks as follows:
- The app sends a request to Ruby on Rails backend api at /api/auth/providername
- The backend initiates oauth flow (retrieves request token from auth server etc)
- Then the server redirects the client to /authorize endpoint of auth server with appropiate parameters where user enters their university credentials.
- Auth server sends a response to backend's callback endpoint, then backend makes a request to /access_token endpoint and retrieves needed info.
- The backend sends an httponly cookie with session_id (session is created on the rails server)
How should I approach this in react native? I've managed to do this with Webview that shares cookies and waits until the browser is redirected to a specific URL. On signout cookies are deleted using react-native-cookies. However, I've read that iOS apps that use Webview to authenticate users are rejected from AppStore, since there is a possibility of phishing attack or something. So, I tried to use both expo-web-browser and expo-auth-session, but it seems that none of these support OAuth1.0a, and even then, every example in the Internet that uses WebBrowser and AuthSession stores auth api secrets in mobile app which is rather unsafe (I want to use my backend as a proxy that has all the secrets). Is there a way to achieve what I want? I want my users to click login button which opens browser, they authenticate AND (this is important to me) after successful authorization they are redirected back to the app.
