I have read a tutorial regarding OAuth 2.0 and implicit grant type. I still don\'t understand how implicit grant type will work for mobile (iOS or Android). For example if we cr
For Oauth2 in mobile apps you can set your redirect_uri
to some dumy URL like http://localhost/redirect/
and then use the webview's "onload" event to check the URL for access_token
For example in iOS, you can load the authorization url in webview, and use delegate method to check the redirect_uri
for access_token
like this:
- (BOOL)webView:(UIWebView *)webView shouldStartLoadWithRequest:(NSURLRequest *)request navigationType:(UIWebViewNavigationType)navigationType {
NSURL *Url = [request URL];
...
}
You can also do this in Phonegap app with HTML5/JavaScript using InAppBrowser
:
var loginWindow = window.open(login_url, '_blank', 'location=yes');
$(loginWindow).on('loadstart', function(e) {
var url = e.originalEvent.url;
var access_token = url.split("access_token=")[1];
...
}
full code here: https://github.com/krisrak/jquery-cordova-oauth2
The implicit grant type isn't well suited for mobile apps. This is what the corresponding RFC (RFC 6749) has to say about it:
The implicit grant is a simplified authorization code flow optimized for clients implemented in a browser using a scripting language such as JavaScript.
For a mobile app, you're better off with the Resource Owner Password Credentials flow if you're making the official app for your own service, or the Authorization Code flow if you're accessing a third-party web service.