Home > OpenID Connect OAuth Server dedicated > Q: is authorization flow as good for native/mobile ?

Q: is authorization flow as good for native/mobile ? Chatting with my Bot

All the versions of this article: [English] [français]

i-Tego masters generative AI using your company’s data. We can therefore provide you with advanced search tools on a very large number of documents of all types, explore your databases, your emails, etc. All with automatic translation!

i-Tego chat bot
i-Tego propose aux entreprises un chat bot dont la base documentaire inclut leurs données propres.
Le prototype est visible ici : https://chat.i-tego.com
Attention! produit en évolution constante, peut être indisponible.

This is an example built on i-Tego’s documents :

Q: what are key points to consider when using authorization code flow with native/mobile application ?

R: When using the authorization code flow with native/mobile applications, there are several key points to consider:

Security: Native/mobile applications cannot securely store the client secret, which could be exposed through reverse-engineering. Therefore, additional security measures such as Proof Key for Code Exchange (PKCE) should be implemented to mitigate this risk.

Client Type: Native/mobile applications should be registered as "public" clients on the server, meaning they have a null secret.

Code Challenge: Instead of the client secret, the application should generate a random code verifier and send its hash as the code challenge parameter during the authorization request.

Token Exchange: After the user authentication and receiving the authorization code, the application exchanges it for tokens, including the code verifier parameter.

Code Challenge Creation: The code challenge is created by hashing the code verifier with SHA256 and encoding it in base64 URL format. The code challenge method should be set to ’S256’.

Additional Security Measures: Implementing methods like PKCE enhances the security of the token issuance process and helps prevent interception or misuse of authorization codes by malicious applications residing on the same user-agent.

These considerations help ensure the security and integrity of the authorization process for native/mobile applications using the authorization code flow.

Q: what says OAuthSD about this : is authorization flow as god for native/mobile application as for web application?

R: OAuthSD emphasizes the importance of using the Authorization Code flow for web applications due to its ability to provide a secure way to handle authorization. This flow is particularly well-suited for web applications that require a constant connection to the server and deal with sensitive data. However, OAuthSD also mentions that certain systems may find the simplicity of OAuth 2.0 flows, such as the Client Credentials Grant, more suitable for their needs, especially in trusted environments where user identification is not a priority.

In summary, while the Authorization Code flow is highly recommended for web applications, OAuthSD acknowledges that different application types may have varying requirements and security considerations when it comes to authorization flows.

Sources:

Découvrir - OpenID Connect OAuth Server dédié.pdf (page 22)
Authentifier l’application - OpenID Connect OAuth Server dédié.pdf (page 1)

Q: what says OAuthSD about security of authaurization code flow for native/mobile applications?

R: OAuthSD emphasizes the importance of security when using the Authorization Code Flow for native/mobile applications. The Authorization Code Flow is considered safe when applied to web applications with a back-end, as it provides a secure way to authenticate and authorize access to protected resources. However, for native/mobile applications, additional considerations are needed to ensure the security of the authentication process.

OAuthSD highlights the need to verify the origin of requests received by a resource server to prevent token theft by foreign applications. This strict security approach leads to the conclusion that the Authorization Code Flow is only considered safe for web applications with a back-end. This means that for native/mobile applications, there may be limitations or vulnerabilities that need to be addressed to ensure the security of the authentication process.

In summary, while the Authorization Code Flow is a secure option for web applications with a back-end, additional security measures may be necessary when implementing this flow for native/mobile applications to prevent unauthorized access and protect sensitive data.