In 2017, the IETF OAuth2 working group published “Best Current Practice: OAuth 2.0 for Native Apps”. The mobile, authentication and authorization spaces move fast, and in the 4 years since we’ve seen a raft of new capabilities in mobile hardware, mobile operating systems and in the protocols.
There is (in normal years!) an ever-increasing expectation that users are able to perform the full range of operations previously performed on desktop PCs, whilst out and about, using potentially insecure networks – without compromising on security and providing modern friction-free user experiences. This presents a number of new challenges, particularly in the business-to-consumer or employee bring-your-own-device environments where the device is not under the same strict controls and policies that would be applied in a full corporate environment.
Joseph talks about what has changed in the 4 years since the IETF document, and the new protocols/standards (FAPI, DPoP, DCR, …) that are now commonly used. He talks about patterns he’s used in apps recently – ranging from ‘simple’ low risk apps through to higher risk areas like finance, payments and railway maintenance - and when those patterns should (and shouldn’t) be used.