4

Let's imagine the following:

  1. I've developed a mobile app using Xamarin (iOS/Android compatible)
  2. I want it to support OAuth2 + OpenID connect's authorization code flow with PKCE, so that the user's credentials are never stored on the device, but rather an access token is. The token grants access to an API used to make the whole mobile app function, meaning the mobile app is simply a front-end interface/UI.
  3. Is my mobile app considered the "client application", or the "Resource owner"?

The third step makes it so hard for me to grasp this. If it's considered client application, how will following through the whole code flow, protect us from anything, as most of the things will be visible (Mobile apps are public clients, there is no back-channel)

If it's considered resource owner, then does that mean I'd have to whip out an entire dedicated back-end, separate from my API, separate from my Authorization Server, and just specific for the mobile app (it will be the "Client application")?

If someone could shine some light on this, please let me know. I know the title is not very correct, if someone could edit it to better fit this question, I'd be very thankful.

SpiritBob
  • 165
  • 7

1 Answers1

3

Your mobile app is the "client application", and the API that makes the client app function is the "resource server" (the "resource owner" is normally the person using the app).

The use of PKCE here protects against an attacker intercepting the authorization code, which can be relatively easy on mobile apps if custom URI schemes are used. Like you say, mobile apps are public clients and so without PKCE an attacker would be able to exchange the authorization code for an access token and make calls against your backend, however when using PKCE the atacker also needs to know the "code verifier" which is randomly generated and stored only in memory by the client app each time it makes a request.

See also:

Justin
  • 458
  • 1
  • 4
  • 12
  • I might ask you for some clarifications down the road, thank you for this answer! – SpiritBob Jan 17 '20 at 08:59
  • is it still recommended to go through authorization code flow + PKCE if you have the option, if you own both the mobile app and the server (i.e the app is fully trusted in that sense, meaning you can safely use Resource Owner Password credentials?) – SpiritBob Feb 05 '20 at 17:13
  • @SpiritBob yes, because that way you can more easily change the login experience (e.g. Forgotten password, 2FA etc...). – Justin Feb 05 '20 at 19:15
  • @SpiritBob hi there just stumbled in this thread and I am going through the learning curve of implementing PKCE with a xamarin forms app, is there any walkthrough or code I could download that I could learn from? grateful for any replies – developer9969 Nov 13 '21 at 11:43