11

I'm doing research on OAuth 2.0 protocol.

I came stuck in the problem of generating bearer tokens for desktop/mobile applications that don't run on a web server.

The OAuth 2.0 protocol flow is clear to me for web applications. Suppose myapp.com wants to access protectedresource.com on behalf of user Alice, then Alice gets redirected to https://protectedresource.com/oauth?redirect_uri=https://myapp.com/oauth&[...] so the resource manager, after obtaining consent, redirects Alice's browser to a page that will collect the authorization code and use it to obtain the bearer token.

This works fine and secure because protectedresource.com recognizes myapp.com domain and releases the bearer token only to requests coming from myapp.com

If I'm running a desktop application, even with support of a browser (ie embed an HTML viewer in a Windows Form or something like that) where am I supposed to redirect Alice after consent??

Who collects the authorization code? How does the control flow change?

Does anybody have examples of OAuth 2.0 implementations running on desktop or Android?

Improve this question

2 Answers 2

Reset to default
7

The OAuth wiki lists numerous options you can use, all of which have downsides. The simplest involves you running a web app that can display the token to the user, and then the user copies the token (and maybe the refresh token) into your desktop app.

If you have plenty of time then you could investigate registering a custom URI with the desktop operating system, and then use that as the redirect_uri to automatically transfer back to your app from the browser. This has the best user experience.

A malicious app can easily pretend to be your desktop app in these scenarios, and security relies on your users not installing malicious apps.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

I have a c# desktop application where I had a similar problem. I was not getting proper answers on how to implement OAuth in desktop applications. To solve this issue I used inbuilt webbrowser control and read the auth code by reading the callback URL and generate the token. But a few months back the sites like Shopify, eBay, and QBO stopped supporting the IE11 and older version, and unfortunately, that inbuilt webbrowser control uses the libraries of IE11 so I was again stuck.

To overcome all the hurdles I implemented the c# listeners and it solved the issue permanently and now my app is browser-independent.

You can watch my complete video on that here and also can download the sample project from here.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.