Browser Sign In vs Custom Sign In
Closed this issue · 3 comments
Which is considered to be the best practice?
I would expect the Authorization Code with PKCE via Browser Sign In to be best practice.
And, I assume that going the Custom Sign In route will be using the Resource Owner Password route, which is less secure, correct?
Also, what are the plans regarding Resource Owner Password, assuming there is a good chance it might be deprecated in OAuth 2.1?
Also, also, are there currently any plans to support Flutter in the near future?
Some clarification into this would be greatly appreciated.
Thank you.
(I understand that this is not a code/error question, but I was sent to GitHub with these questions by my Okta case owner.)
Hi @pgulegin , PKCE is generally considered the most secure flow for public/un-trusted clients (apps where credentials cannot be kept privately, which some consider to be true of mobile apps as well).
We have a longer writeup on the protocol here: https://developer.okta.com/docs/concepts/oauth-openid/
Hope this helps!
Hi @robertjd,
Got it! PKCE is most secure.
Are there any plans to deprecate the ROP grant? And, any planned Flutter support?
Thanks for being so helpful!
Hi @pgulegin,
Resource Owner Password will not be deprecated as it can benefit for some customers.
According Flutter support, for now we investigate this question.
Closing for now. Feel free to open new issues.