I have been studying oauth 2 and IdentityServer4 for the past year and a half and can say that in my opinion the preferred method to use in this scenario would be hybrid flow . It seems that in the past this was implicit due to the fact that the mobile client cannot protect the secret . Then it seems to have changed to authorization flow without secrecy ... (I don't know how this will work)
My understanding of IONIC and other cross-platform frameworks is that they work by implementing the application inside the web view , and therefore my confusion arises here. Technically speaking, a hybrid stream is recommended for native applications, and IONIC is not something that allows you to create native applications.
If the recommended stream for native applications is hybrid, but you are using IONIC and therefore do not create your own application, is the hybrid stream used?
Again, I assume that this is because, because it will be an application that runs locally on the end-user machine, then the secret is NOT safe.
It also confuses me a bit, because there are other threads, for example: credential based flows, where you need to specify a username and password. This bothers me, because usually it is the way I would like users to authenticate in the mobile application. A hybrid stream appears to be a stream that does not require a username and password.
I come from owin MVC4 background.
My basic architecture plan is like this
source share