I want to implement the OAuth2 provider functionality in my web service and use OAuth2 for API usage authorization for native apps.
You can issue access_token
using the ResourceOwnerPasswordcredentials flow
.
This web service allows you to register using your Facebook or Twitter account.
A user does not have an ID/PW.
Implicit flow
cannot issue refresh_token
, so I think it is difficult to use.
In this case, is it correct to obtain access_token
by using the AuthorizationCode flow
?
Please let me know if there is a better way to do this, as it will seriously damage UX if you use Safari or Chrome for native apps.
I have never implemented an OAuth provider, so I have an objective opinion, but I wonder if it will be a combination of ResourceOwnerPassword credentials flow and AuthorizationCode flow (using the appropriate one for each user).
Generally speaking, opening an authorization screen with an external browser or using webview would be a little better for the latter, but of course, users may suspect and fear that their passwords might be stolen.
(Assuming that the target device is iOS or Android) Both Twitter and Facebook have SDK, so you can log in to each of them by authenticating the official application and device, and you can use OAuthecho (in the case of Twitter), so I think it's a good idea to use it.(Unfortunately, I have no experience with the Facebook API.)
As for Facebook, the second section of 7.Login of Platform Policy contains
Native iOS and Android apps that implement Facebook Login must use your official SDKs for login.
and Facebook Login (getting access tokens) are required to use the official SDK.And if you're using SDK, if you have the Facebook app installed on your device, you can get the access token via Fast App Switch with the Facebook app (fallback to other means such as Safari/WebView if the app is inside).
© 2024 OneMinuteCode. All rights reserved.