Does OAuth 2.0 always require a browser in the flow?

S

3

15

Can I use OAuth 2.0 without a browser (or an embedded browser in my app) to perform nightly uploads?

Setup I have a refresh token and access token from provider console-- Google Drive API

I wish to use Java SDK to use/reuse these to upload data without the requirement for any browser authorization once i have initially received my refresh/access tokens.

Scanner answered 25/2, 2015 at 10:57 Comment(0)

P

9

Yes, that is what unattended access with the refresh token is about. When the user gives consent in the Google prompt they are allowing persistent access even when they are not logged in. You can store the refresh token on the server somewhere. When the access token expires then use the refresh token to request a new access token.

Just to clarify some of the wording in your question, the refresh and access tokens do not form a pair. So saying "reuse these", should actually be "reuse this", where 'this' is the refresh token.

Patroon answered 25/2, 2015 at 11:22 Comment(5)

ok, great , then why would I get 'login required error' in this scenario? What am I doing wrong? #28596177 – Scanner 25/2, 2015 at 11:31

difficult to say what you're doing wrong since you didn't say what you're doing – Patroon 25/2, 2015 at 17:51

Why did use say Yes? I don't consider this to be correct. As you have said, you need a consent at least once or when the refresh token has expired. So the correct answer should have been No. – Borneol 4/12, 2020 at 11:36

@Borneol it depends if you interpret the question as "do I need a browser ever?" or "do I need a browser each night?" The OP says he already has a Refresh Token, so it's safe to assume he knows that he once needed a browser to obtain that. His question goes on to explain he is having a problem using the Refresh Token, and he does not need a browser to use it - hence the answer is Yes. Refresh Tokens don't expire (under normal circumstances) - which is why they exist. – Patroon 10/12, 2020 at 12:41

But you still need a browser to obtain one and tokens can be revoked. So you do need a browser. – Borneol 10/12, 2020 at 19:33

S

15

OAuth 2.0 requires a browser for user consent once

A browser is required, so that the user can agree to the request of the app to access the users data. After the user agreed on sharing the data with the app, the app can use the refresh token without a browser based flow.

Documented here: https://developers.google.com/accounts/docs/OAuth2WebServer

Alternative for non-browser apps

You may use the OAuth 2.0 for Devices flow: You app can act as a device which queries a code from google, displays it to the user, and asks the user to browse to a verification URL (e.g. with (system.out.println...).

So a browser is still needed, but your application itself doesn't need to provide a webpage to the user.

Suggestive answered 25/2, 2015 at 19:51 Comment(0)

P

9

Yes, that is what unattended access with the refresh token is about. When the user gives consent in the Google prompt they are allowing persistent access even when they are not logged in. You can store the refresh token on the server somewhere. When the access token expires then use the refresh token to request a new access token.

Just to clarify some of the wording in your question, the refresh and access tokens do not form a pair. So saying "reuse these", should actually be "reuse this", where 'this' is the refresh token.

Patroon answered 25/2, 2015 at 11:22 Comment(5)

ok, great , then why would I get 'login required error' in this scenario? What am I doing wrong? #28596177 – Scanner 25/2, 2015 at 11:31

difficult to say what you're doing wrong since you didn't say what you're doing – Patroon 25/2, 2015 at 17:51

Why did use say Yes? I don't consider this to be correct. As you have said, you need a consent at least once or when the refresh token has expired. So the correct answer should have been No. – Borneol 4/12, 2020 at 11:36

@Borneol it depends if you interpret the question as "do I need a browser ever?" or "do I need a browser each night?" The OP says he already has a Refresh Token, so it's safe to assume he knows that he once needed a browser to obtain that. His question goes on to explain he is having a problem using the Refresh Token, and he does not need a browser to use it - hence the answer is Yes. Refresh Tokens don't expire (under normal circumstances) - which is why they exist. – Patroon 10/12, 2020 at 12:41

But you still need a browser to obtain one and tokens can be revoked. So you do need a browser. – Borneol 10/12, 2020 at 19:33

B

0

In short: yes, for security reasons.

When the user taps the “Sign In” button, the app should open the authorization URL in a secure in-app browser (ASWebAuthenticationSession on iOS, or a “Custom Tab” on Android). Using an embedded WebView window within the app is considered extremely dangerous, as this provides the user no guarantee they are looking at the service’s own website and so is an easy source of a phishing attack. The embedded web view also provides a worse user experience since it does not share system cookies and the user will always have to enter their credentials. By using the platform’s secure browser APIs which share cookies with the system browser, you have the advantage of the user potentially already being signed in to the service as well and not needing to enter their credentials every time.

https://www.oauth.com/oauth2-servers/mobile-and-native-apps/authorization/

Biotechnology answered 5/8, 2023 at 9:43 Comment(0)

OAuth 2.0 requires a browser for user consent once

Alternative for non-browser apps

Recommended topics

Hot tags