I'm developing a REST API which is going to be used by a web client (AngularJS), an iOS client and an Android client (the "official" clients). That being, I need a secure way for users to authenticate using these apps and obtain some kind of temporary token which can be used in subsequent requests. This seems what OAuth2 has been made for, so I've implemented OAuth2 authentication. However, I've got a number of questions regarding the overall security of what I build:
- As these are the "official" clients, it really doesn't make any sense to use a "redirection-based" flow, which leaves me with the "Resource Owner Password Credentials" flow as my only option. However, the spec says that this flow "is often used for legacy or migration reasons", which is also clearly not the case here. Am I overlooking something here? Am I choosing the "right" flow? How do other big players like Facebook or Twitter do with their "official" apps?
- From what I understand of the spec, these clients are considered "public clients", which means that there is no benefit from using a "client secret". However, the spec is a bit vague in what concerns this kind of clients. Are there any particular pitfalls to watch out for in regard to the interaction between these clients and the authorization server?
- Finally, and perhaps most important... Is this whole "Resource Owner Password Credentials + Public Clients" scheme secure at al? Or am I just implementing some kind of "Toy Security™" here?
Aucun commentaire:
Enregistrer un commentaire