I am currently thinking about alternative ways for my native iOS Application (written in Swift) to receive access- & refresh-tokens. As of now, user sessions are established using revokable JWTs, issued by my API once a POST request is made to the
/login endpoint, containing email and password (and optionally an MFA token).
However, there are many websites bashing usage of JWTs for an implementation of user sessions, arguing that OAuth2 would be a much more suitable option for that.
Unfortunately, I do have a problem with OAuth’s authentication flow. I just do not want to display an ugly browser in my beautifully created app. I do know that there’s the SFSafariViewController on IOS, however, this still ruins the entire flair and smooth login process of my app.
I do understand the benefits of using OAuth with third party applications; however, I do not see that advantage when using first-party applications I, and only I, maintain. Especially as OAuth doesn’t provide a bulletproof solution for validating a public client’s authentication either; I can’t store a client secret in my app, which, in theory, allows anybody to impersonate my app once they know my API endpoints etc.
How likely is the scenario of someone impersonating my application anyways; are there even bulletproof ways to avoid that?
I browsed through quite a lot of articles online and questions here on StackExchange regarding OAuth2, however, none of them really addressed my issue regarding first-party native applications:
https://security.stackexchange.com/a/102045/227388 -> didn’t cover any aspects regarding first-party-applications
OAuth Authorization Flow without external user agent for iOS application -> didn’t cover any alternatives to OAuth 2, didn’t mention what big players use
Therefore, my questions:
- Considering the above described use case of a first-party native iOS Application, would you still recommend me to use OAuth 2?
- Would sticking to my existing implementation with revokable JWTs be reckless?
- What are all the “big players” using for their login flow? Twitter isn’t displaying a website when logging in via their mobile app?
- Are there any alternatives you would point me to?
- How likely is the scenario of someone impersonating my application anyways; are there even bulletproof ways to avoid that?