This flow is only required if you dont have a backend I suppose. If you have a backend server that manages the session of the user could you just use the normal authorization code flow with openid connect to authenticate the user even for mobile apps?
There can be a few ways to achieve a good practice when you have a backend. For example, you can just do a normal OpenID Connect with code flow to your backend and do all the subsequent transactions between the backend and the Authorization Server/Resource Server. In this case, the App will just be a user interface and you have to keep the session between the App and the backend somehow. However, even in that case, using PKCE (RFC7636) is recommended.
Hi, can I ask what you mean by normal OpenID Connect auth code flow to the backend? I’m confused about how to best implement it in my project, I currently have a keycloak running locally as an authorization server and spring boot as a backend, and flutter mobile app as the front end, In my case, do I need 2 separate clients for both the backend as well as the front end or can I use the same client? I appreciate any help and thanks in advance!
Hello Nat, why don't we use only /token endpoint ? for example, instead getting authorization code from authorization endpoint, why don't we get access_token from with user_name, password ? what does this give us?
@@NatSakimura But what if this my App and users in Authorization under my controll. There is no sence to use browser for me couse in this scenario browser is less trusted than my own code. Is this a case for OAuth at all then?
This flow is only required if you dont have a backend I suppose. If you have a backend server that manages the session of the user could you just use the normal authorization code flow with openid connect to authenticate the user even for mobile apps?
There can be a few ways to achieve a good practice when you have a backend. For example, you can just do a normal OpenID Connect with code flow to your backend and do all the subsequent transactions between the backend and the Authorization Server/Resource Server. In this case, the App will just be a user interface and you have to keep the session between the App and the backend somehow. However, even in that case, using PKCE (RFC7636) is recommended.
Hi, can I ask what you mean by normal OpenID Connect auth code flow to the backend?
I’m confused about how to best implement it in my project, I currently have a keycloak running locally as an authorization server and spring boot as a backend, and flutter mobile app as the front end, In my case, do I need 2 separate clients for both the backend as well as the front end or can I use the same client? I appreciate any help and thanks in advance!
What would you do on mobile app when the access_token is expired?
One can use refresh token to get a new access token.
Hello Nat,
why don't we use only /token endpoint ? for example, instead getting authorization code from authorization endpoint, why don't we get access_token from with user_name, password ? what does this give us?
If you do that, then it means all the apps can impersonate the user at full privilege. So, the username and password is no longer trustworthy.
@@NatSakimura But what if this my App and users in Authorization under my controll. There is no sence to use browser for me couse in this scenario browser is less trusted than my own code. Is this a case for OAuth at all then?
Why you don't use authorization code with PKCE ?
It is using code with PKCE. BCP 212 is the combination of PKCE and in-app browser tab.