oauthidentityserver3openid-connectidentityserver4

Identity Server : Grant Type for native mobile apps


I have implemented an Identity Server4 and it looks great. Now, I have a requirement to connect a native mobile app(xamarin) to it.Most of the blogs and discussions suggest to use either "Authorization Code" or "Hybrid" flow, and the xamarin example in the github uses "Implicit" flow.

I have been through this documentation on Authorization flow and it does not talk anything about username or password. https://identityserver4.readthedocs.io/en/release/endpoints/authorize.html

What I need is to allow the user to supply his/her username and password to the authentication server, and the server should ultimately give back the access code.

  1. Which will be the most appropriate authentication flow for this.

Solution

  • There are two "mindsets" -

    a) the login UI is native in the application

    b) the login UI is rendered from the OpenID Connect in a browser

    Generally b) is recommended - check the spec:

    https://tools.ietf.org/wg/oauth/draft-ietf-oauth-native-apps/

    I also did a talk about that last year:

    https://vimeo.com/171942749

    If you absolutely don't want the redirect/server-based approach, then research the "resource owner password grant" - e.g. here:

    https://identityserver4.readthedocs.io/en/release/quickstarts/2_resource_owner_passwords.html

    But, I would not recommend it.