We have chosen to use "Username-Password OAuth Authentication Flow" over the "Web Server OAuth Authentication Flow" and "User-Agent OAuth Authentication Flow" because we need to login silently, without user interaction.
We will be authenticating users from Android/iOS apps using REST web services.
- Is the "Username-Password OAuth Authentication Flow" the least secure flow?
- What possible security issues should be taken into account when using this flow?
- grant_type, client_id, client_secret, username, password will be sent as URL parameters. Is it possible to POST these parameters as JSON?
Best Answer
Answering your questions in order:
application/x-www-form-urlencoded
data - see this article.I would advise you to consider one of the interactive flows, and store the refresh token, or even JWT Bearer Token flow, where the app creates a signed token, rather than username-password, which should be considered a last resort, when no other option is available.