asp.net core - Single sign on between web application and native desktop application using OAuth 2 -
we want code web-application (with asp.net core) starts legacy windows desktop application via custom url protocol. web-application must use authorization server obtaining access (bearer) token via oauth 2 has access user's resources via asp.net core web api. desktop application must able access user's resources via web api too. how can desktop application obtain access token?
i can think of following options:
- the desktop application shows login screen, sends entered username , password authorization server (using “resource owner password credentials” grant type of oauth 2) , gets access token back.
- the desktop application shows embedded browser window. embedded browser requests oauth authorize endpoint of authorization server (using “authorization code” grant type of oauth 2) , user must log-in authorize. authorization server redirects redirect url. desktop application intercepts redirect, extracts authorization token , uses access token.
- the web-application starts desktop application , passes access (bearer) token argument desktop application.
- before starting desktop application, web-application requests new authorization code authorization server. web-application starts desktop application , passes authorization code argument desktop application. desktop application exchanges authorization code access token sending authorization code oauth token endpoint of authorization server.
we not wish use first , second option, because want single sign on.
the third option not seem idea, because malicious software on user’s desktop pc can obtain , use access token too.
the fourth option seems option left. far know authorization code temporary (short-lived) one-time token. besides that, need know client secret obtaining access token. can confirm option 4 way go? or did overlook something?
are there examples identityserver scenario?
both application should share logon session using system browser. way user gets sso in native app (and vice versa).
the spec describes best practices native apps: https://tools.ietf.org/html/draft-ietf-oauth-native-apps-12
Comments
Post a Comment