Hi, to start let me thank you for posting this sample. It has help me understand and do some implementations of my own to use OIDC on Android. Am looking forward for the lib ;)
The authorization server MUST NOT issue client passwords or other
client credentials to native application or user-agent-based
application clients for the purpose of client authentication. The
authorization server MAY issue a client password or other credentials
for a specific installation of a native application client on a
specific device.
So Android Apps must not use Code Flow, instead they should use Implicit Flow. It's ok for testing purposes, but it may be a security issue if used on production as it is (I know you pointed the Dexguard to offuscate) and just adds layers of complexity for, lets say, nothing.
Implicit Flow has it's contraints and limits (i.e. no refresh tokens) but i think it would be interesting for completeness sake to implement this flow.
Am working on it so if i manage to do something clean i'll make a pull request.
lnikkila
commented
9 years ago
Hi, to start let me thank you for posting this sample. It has help me understand and do some implementations of my own to use OIDC on Android. Am looking forward for the lib ;)
I'll just like to point out that, from http://tools.ietf.org/html/rfc6749#section-10.1 we know that :
So Android Apps must not use Code Flow, instead they should use Implicit Flow. It's ok for testing purposes, but it may be a security issue if used on production as it is (I know you pointed the Dexguard to offuscate) and just adds layers of complexity for, lets say, nothing.
Implicit Flow has it's contraints and limits (i.e. no refresh tokens) but i think it would be interesting for completeness sake to implement this flow.
Am working on it so if i manage to do something clean i'll make a pull request.