The below article indicates that a browser-based UX is the best practice for a mobile app (as opposed to a native (embedded) UX).
And in the article below, it appears that the Authorization Code Flow with PKCE is the recommended flow.
After reading both articles I walked away with the assumption that for any new mobile app, the best practice is to ALWAYS use the Authorization Code Flow with PKCE. However, I’m wondering if there are other scenarios where other flows are appropriate (or even considered a best practice) for a mobile app.
Consider this scenario: the architecture for my app includes both a mobile app and an API.
Would the API then be considered a confidential application allowing me to use the Resource Owner Password Flow and make use of a native UX (rather than a browser-based UX)? The Resource Owner Password Flow article says:
- “…the Resource Owner Password Flow should only be used when redirect-based flows (like the Authorization Code Flow) cannot be used.”
My question to this above statement is: Why? If my API is a trusted part of my overall system, and is considered a confidential application, then what additional security risks am I opening myself up to by using the Resource Owner Password Flow?