When creating a native mobile app, it is often necessary to call RESTful Web services securely using OAuth. To do this, the native app needs an Access Token (AT). There are various ways for the app to get such a token, each presenting certain pros and cons. Around the Web, you will find two primary suggestions on how to do this:
- From the native app, pop open a browser to the Authorization Server (AS) where the user will authenticate and authorize the native app to access their resources. Return the AT to the native app via a scheme registered with the mobile OS.
- Embed a Web browser control in the native app that renders the AS's Web pages inside it and get the AT as it goes by.
The problem with the first is that multiple applications can register for the same scheme, opening up the native app to phishing. The latter is a problem because the native app can see everything that goes by including the Resource Owner's (RO's) credentials. This is OK if you trust the app not to do that, but that isn't always the case and is reminiscent of the password anti-pattern that OAuth was designed to fix. For more details on these attacks, see this whitepaper (PDF).
At IIW this week, Personal's CTO, Tarik Kurspahic, organized a session to talk about how best to get OAuth tokens into native apps. In it, he, Scotty Logan of Stanford University, myself, and the other participants came up with the following alternative to the popular suggestions above which does not allow the installed app to see the RO's credentials and is not susceptible to phishing.Here's a diagram showing what we came up w/.