OAuth 2.0 for desktop and mobile applications

Question

I\'m doing research on OAuth 2.0 protocol.

I came stuck in the problem of generating bearer tokens for desktop/mobile applications that don\'t run on a web server.

Answer 1

I have a c# desktop application where I had a similar problem. I was not getting proper answers on how to implement OAuth in desktop applications. To solve this issue I used inbuilt webbrowser control and read the auth code by reading the callback URL and generate the token. But a few months back the sites like Shopify, eBay, and QBO stopped supporting the IE11 and older version, and unfortunately, that inbuilt webbrowser control uses the libraries of IE11 so I was again stuck.

To overcome all the hurdles I implemented the c# listeners and it solved the issue permanently and now my app is browser-independent.

You can watch my complete video on that here and also can download the sample project from here.

Answer 2

The OAuth wiki lists numerous options you can use, all of which have downsides. The simplest involves you running a web app that can display the token to the user, and then the user copies the token (and maybe the refresh token) into your desktop app.

If you have plenty of time then you could investigate registering a custom URI with the desktop operating system, and then use that as the redirect_uri to automatically transfer back to your app from the browser. This has the best user experience.

A malicious app can easily pretend to be your desktop app in these scenarios, and security relies on your users not installing malicious apps.