Login flow & is there a way to avoid redirecting the user in order to use our API?

We’re building a mobile app and a corresponding API for this app to call.

Our goal is to log in the user and then use access_tokens to authenticate them on the backend whenever our app makes an API call.

Is there a way to avoid redirecting the user to give permission to use our API after they log in? OR is there a way to authenticate them to call our API during login? It seems weird that users have to take extra steps in order for our app to call our own API.

One possibility I see would be for us to use the id_token given upon login to authenticate the user on the backend upon API call, but I realize that’s not what an id_token is for. Is this a valid option?

If you don’t want redirects you can make use of the resource owner password grant and collect the user’s credentials within your mobile application. You could then exchange those credentials with the suitable access token for calling your API. As part of the exchange you could also request a refresh token so that the user would not have to always be providing the credentials to your application.

For more information see: