Desktop and Mobile Apps
Authentication and delegated authorization for desktop and mobile applications and a public client overview.
Jump to Section
Jump to a section in the video for explanation on a specific topic.
- Public clients
- Authorization code grant and public clients
- Driving interactive authentication using browser surfaces
- Embedded browser/webview; browser controls
- System browsers on iOS and Android
- Need PKCE when using system browsers
- System browser in desktop apps is not easy
- No browser available on the device requires the device flow
- Authorization code + PKCE diagram
- Authorization request from the system browser
- Refresh token somewhat represents a session between client and resource
- Redirect URI using a protocol scheme for handling system browser-app communication
- PKCE code challenge
- Authorization response
- Returning the code from the system browser to the app
- Redeeming the authorization code
- Challenges with refresh tokens without secrets
- Using a refresh token for getting a new access token in native clients
- Mitigating issues with the use of bearer tokens and secret-less refresh tokens
- Refresh tokens play the function of session artifacts for native clients and APIs
- Resource Owner Password Grant (ROPG)
- Dangers and limitations of use of raw credentials
- How to address requests for ROPG from customers
- One exception in which ROPG might be temporarily acceptable
- ROPG diagram
- Other grants
Single Page Apps
Authentication and delegated authorization for single page applications.
Introduction to Identity
A whirlwind tour of identity history, concepts, and terminology: protocols, open standards, SSO, OAuth2, OpenID Connect and more.
OpenID Connect and OAuth2
OpenID Connect and OAuth specifications, roles, and grants.
Authentication for web applications using OpenID Connect.
Calling an API
How to obtain and use access and refresh tokens for delegated authorization in a traditional web application.