I’m very new to OAuth2/OpenId (in fact very new to web development in general). I’m trying to understand which authentication flow I should be using.
I have created a web API on the back-end, and on the front end we have a web app (which I’m busy writing) and a phone app (being written by someone else).
Both the web app and web API are written in ASP .Net Core 1.1 MVC.
The system is basically an application that real estate agents can use when they go to a house to do an inspection. SO it’s a data capturing system where they can fill in the condition of each room, and take pictures.
The user needs to log in with his username and password (after having previously registered) to use the system.
I am using Auth0 for the authentication server.
According to many posts I’ve read, server side MVC web apps should use the Client Credentials Grant flow, whereas phone or client side web apps should use the Resource Owner Password Credentials Grant flow. OK, so on the phone app, that’s what the other developer will use. But I’m a bit unsure of which of those two flows (or perhaps another flow) to use on the web app. If I use the Client Credentials flow, my understanding is that the web app will have a Client ID and Client Secret which it will use to authenticate itself to the authentication server, in which case it will receive an access token which it can then use to access the web API. But where in this process does the user fill in his username and password??? So perhaps I need to use the Resource Owner Password Credentials flow - against the recommendations of what * I’ve read on various websites?
Any pointers would be greatly appreciated! Thank you…*