If anyone have implemented or have any idea about,...
# talk-hydral
loud-keyboard-84117
06/09/2022, 11:23 AMIf anyone have implemented or have any idea about, What's the best way to do OAuth2 in android app(I'm using flutter). I see people putting client credentials inside the app, is it even safe? Do we need to have a server handling all logic and use it for redirections, etc?
Any resource to the flow diagram will be helpful for me.
n
numerous-umbrella-61726
06/09/2022, 11:54 AMthe generally accepted approach is authorization code with pkce with a public client (i.e. no secret), since mobile apps technically can’t store secrets as the client runs on a device you don’t control
numerous-umbrella-61726
06/09/2022, 11:55 AMyou could also take a look at dynamic client registration, which would let you create private clients for each device
numerous-umbrella-61726
06/09/2022, 11:56 AMi don’t claim to be an expert however, as we’re currently in the middle of this implementation as well, but i have been reading quite a bit about it, it’s especially difficult as the “right way” seems to change quite often as new standards are released, so it’s easy to find outdated recommendations when searching
l
loud-keyboard-84117
06/09/2022, 12:12 PM@numerous-umbrella-61726, any preferred resources for this?
n
numerous-umbrella-61726
06/09/2022, 12:27 PMory themselves posted a good blog post on it - https://www.ory.sh/oauth2-for-mobile-app-spa-browser/
numerous-umbrella-61726
06/09/2022, 12:29 PMthere’s also https://oauth.net/2/native-apps/ if you want a more “official” reference, since that links to the ietf recommendation
3 Views