OAuth 2.0 for Native and Mobile Apps

OAuth 2.0 for Native and Mobile Apps

Native and Mobile apps have special requirements for using OAuth 2.0.

Gilles Morieux

Thank Micah for this feature article that reinforces my recent work and where I reach the same conclusions as you clearly explain in this document. ie "The Auth Code with PKCE Flow will replace the Implicit Flow over time. This will strengthen SPA apps by reducing the surface area of attack."
Most serious articles indeed recommend a code + PKCE approach for native applications without however evoking the SPAs applications, nor explicitly recommending this approach instead of implicit Flow.
I felt a bit lonely even though PKCE’s latest progress on appauth-js was moving in this direction.
Thanks a lot for AppAuth SDK contributors too …:slight_smile:
Update : https://tools.ietf.org/html…
Note: although PKCE so far was recommended as a mechanism to protect native apps, this advice applies to all kinds of OAuth clients, including web applications.

Anil Thakkar

I am stuck with one very basic requirement in my application. Here is my scenario. I am building custom e-commerce portal using angular as a front end and rest API as a back end. I have product listing API which is going to be called by my angular client application without user’s credentials as product list is public page. However, I don’t want anyone else to consume my product listing API. I know I can use client id and and client secret to obtain token and make it secure but, how do I avoid exposing my client secret in angular app?
Anyone can steal it very easily. Is there any way to use Authorization Code flow with PKCE for public my APIs such as product listing API where user id and password is not required?