Hi, And thanks for the prompt reply!
I would recommend making the mobile app the RP, and having the server be an additional protected resource that accepts access tokens from the mobile app. This is how it's commonly handled, and there are libraries (such as Google's AppAuth) that handle most of these interactions.
So basically the mobile app performs all the steps until it gets the ID token from the OIDC Provider, and then sends this token to my server, who must check the signature of the token to make sure it really came from the OIDC Provider. I'm just wondering how durable this solution is. Suppose the OIDC Provider would change their signing key; my server would then falsely reject valid tokens unless it periodically checked for public key updates (or does this never/seldom happen?). Best regards, Dario Teixeira _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
