Currently, I'm working on a REST API which will be available for public clients but also I wanted to use it in my mobile application.
For the public clients, I considered to use the Clients Credentials grant, in this case, they would have to registered their app in my Web application which will give them the client key and client secret, then, they could request the access token with them and also I could know the user related to the credentials
But with my mobile application, I'll need to have a sign in section where I would need to use Authorization Code grant in order to secure my data, but I'm not sure if it's necessary.
Based on this, I have a couple of questions: 1. The Authorization Code grant it's the best way to do it? 2. It's a bad practice to have two authorization flows in the same endpoint? 3. Dropbox, Twitter, etc...all of them have REST API, how do they manage authorization in their own apps?
Thanks beforehand and sorry for all questions
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire