Integrate oauth2 with native (iOS/Android) mobile application

Question

I need to integrate OAuth2 in a iOS and Android native application. I have been researching on OAuth2 and mobile applications and found this documentation - Google APIs - Us

Answer 1

From my experience, I've found that there are very little libraries that actually support retrieving the authorization code in a clean way.

On most mobile platform you can "listen" to redirection URLS (being http or some custom scheme)

For example on Android one can easily create an activity to retrieve an access token (based on an authorization code it receives via the redirection URL.

    >
        
            
            
            
            
        
       

In this case

http://localhost

On mobile platforms like Android this seems like the logical thing to do.

The same can be done on iOS, but the Google OAuth library for iOS uses the page title approach if I remember correctly.

Technically there is no difference between the 2 flows. The only difference is the syntax of the redirection URL, resulting in a different location of the authorization code.

From a security point of view, the authorization code alone is worthless without the OAuth2 client secret.

Having the user enter an authorization code is something that I'm not used to seeing in Oauth2 flows but it is possible. If doubt that it will add anything security-wise. IMHO it will only frustrate the user.

That doesn't mean that there are different ways of retrieving and processing an authorization code (Automatic capturing of the code through redirects with localhost or custom URI schemes, or manual delivery)