OAuth2, often combined with OpenID-Connect, is a popular authorization framework that enables applications to protect resources from unauthorized access. It delegates user authentication to an authorization service, which then authorizes third-party applications to access the protected resources on the user’s behalf. OAuth2 provides authorization flows for both web and mobile applications.
OAuth2's most popular flow is the authorization code grant flow which is used to authorize
confidential clients access to protected resources. Clients use a client_id to identify
themselves and a client_secret to authenticate themselves to the authorization service.
Unfortunately, native mobile clients are not good at keeping static secrets. Since a public client secret is no secret at all, many identity and authorization service providers simply drop the client secret. Either way, without proper client authentication, the OAuth2 flow is subject to code exchange attacks and/or client app impersonation.
A dynamic app authentication service such as Approov, which is freely used in this demo, can be used to reintroduce confidential client authentication into the mobile client OAuth2 flow.
AppAuth is an open source SDK for native Android and iOS apps which implements best-practice OAuth2 and OpenID-Connect (OIDC) specifications in a platform friendly manner.
The SDK follows OAuth 2.0 for Native Apps best practices, including the PKCE extension and custom tab browsers. The library provides hooks to further extend the protocol beyond the basic flow.
As an open source project, AppAuth has GitHub repositories for Android and iOS which include good documentation, a demo app, and integration with multiple authorization services.
A sample app, implemented in Android, provides a concrete example using AppAuth and Approov to authorize access to private resources. The Books App uses the Google Books API and Google Sign-In services to search for books (protected by API key) and show a signed-in user’s favorite book selections (protected by OAuth2). The app was developed on Android to further explore AppAuth SDK usage with a common application architecture and support libraries.
An OAuth2 adapter, implemented in node, is used to add Approov app authentication into the existing Google OAuth2 code grant flow.
To follow along, start by cloning the AppAuth-OAuth2-Approov project on GitHub available at github.com/approov. It requires some configuration, so it will not run out of the box. At a minimum, you will need to provide a keystore, Google API key, and Google OAuth2 credentials.
See the article Strengthening OAuth2 for Mobile at the Approov blog or on Medium for instructions on how to get the app and adpater service running.