Hi, Thanks for your reply and your patience!
Our recommendations are based on the assumption that the end state is your app having an access token for your rest API. If that is not what you are trying to do then we may be talking at cross purposes.
Yes, that is exactly the end state I'm looking for, though there is a chance there is some misunderstanding about the whole picture. Allow me to summarise the current situation: Users interact with a Native App (NA) running on a mobile phone. This app talks with a Resource Server (RS) via a RESTful API. Because there is private user data on the RS, the very first interaction between the NA and the RS is a login where the NA asks the user for an email+password combination, which it then sends to the RS. If the email+password combination is valid, the RS replies with an access token that must be used by the NA in all its future requests. This works fine, but has the disadvantage of requiring users to manually enter their email and password. The user experience would be much improved if users had the option to login using their Google, Facebook, or Github account. Now, it is my understanding that OpenID Connect is the technology used nowadays to provide this sort of Single Sign-On. All I'm looking for is documentation on how OIDC is actually implemented in this scenario. Best regards, Dario Teixeira _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
