I am a mobile dev, now for a project need to authenticate with a backend service using identityserver4 and OAuth2.
The project has things set up so it is using OIDC for authentication.
BUT
It is on a "password" flow, so is not implicit flow (login on a browser to FB, Google, and come back to the app after that).
So basically I just ended up using fetch request to do a POST to the server with the username and password... Then get token and refresh token and take it from there...
So, my question is, what is the benefit of using OIDC? if the username and password will be sent anyway? (HTTPS)
Is this a common thing? I couldn't find a library on react native for OIDC that didn't use the browser. The most similar thing was a library on node
1 Answer 1
One of the password flow use cases is:
- there are legacy clients that can not support redirections
- but you still want to be sure that your credentials are handled centrally (by your Identity Provider).
Even if it is not a suggested flow to use, there could still be valid reasons to use it.
In this case, implicit flow or PKCE cannot be used. You can imagine your backend still gets the benefit of not storing user credentials. Also, your company manages all users centrally, which is more secure then exposing credentials to different services (logs, their db etc.).