A mobile app that just used Google API only would/should register for a Google
client Id and use connect with Google.
A mobile app that uses only its own API should have a client ID from its own
authorization server, and leave it to the authorization server to deal with the
authentication.
What is concerning is that many are using resource owner flow so the client app
can capture the uid/password under the assumption that the client needs to
control the branding experience much has been done in silo approaches of the
past.
Adding to the confusion I note that many of the cloud
It sounds like you are currently doing something like the OAuth resource owner
flow.
Is there a Authorization server currently associated with your resource server?
If so you can change the OAuth flow you are using to the code one as described
in App Auth.
You still need to authenticate the
Hi,
Thanks for your reply and your patience!
Our recommendations are based on the assumption that the end state
is your app having an access token for your rest API.
If that is not what you are trying to do then we may be talking at
cross purposes.
Yes, that is exactly the end state I'm
If you are protecting your API with OAuth in my recommendation there are
two Authorization and token endpoints. One set run by Google (as an
example) for authentication and issuing a access token for the Google
User_info endpoint, and one set run by you to issue a access token for your
resource
