How to use implicit grant type in OAuth 2.0 for mobile apps?

Question

I have read a tutorial regarding OAuth 2.0 and implicit grant type. I still don\'t understand how implicit grant type will work for mobile (iOS or Android). For example if we cr

Answer 1

For Oauth2 in mobile apps you can set your redirect_uri to some dumy URL like http://localhost/redirect/ and then use the webview's "onload" event to check the URL for access_token

For example in iOS, you can load the authorization url in webview, and use delegate method to check the redirect_uri for access_token like this:

- (BOOL)webView:(UIWebView *)webView shouldStartLoadWithRequest:(NSURLRequest *)request navigationType:(UIWebViewNavigationType)navigationType {
    NSURL *Url = [request URL];
    ...
}

You can also do this in Phonegap app with HTML5/JavaScript using InAppBrowser:

var loginWindow = window.open(login_url, '_blank', 'location=yes');
$(loginWindow).on('loadstart', function(e) {
    var url = e.originalEvent.url;
    var access_token = url.split("access_token=")[1];
    ...
}

full code here: https://github.com/krisrak/jquery-cordova-oauth2

Answer 2

The implicit grant type isn't well suited for mobile apps. This is what the corresponding RFC (RFC 6749) has to say about it:

The implicit grant is a simplified authorization code flow optimized for clients implemented in a browser using a scripting language such as JavaScript.

For a mobile app, you're better off with the Resource Owner Password Credentials flow if you're making the official app for your own service, or the Authorization Code flow if you're accessing a third-party web service.