markbates
Support for iOS?
Hello,
We currently use Goth for the web Oauth flow, but are porting our webapp to iOS with capacitor. Is there any way to configure Goth to work on mobile?
The web flow for Google requires an http redirect uri, so we can't trigger a redirect to an iOS universal link from Goth, e.g., can't open an app on redirect. Has anyone hit this issue? How did you work around it?
We've toyed with the idea of stepping through the Oauth flow on the iOS frontend and then passing the token back to our backend to validate a session and have goth complete the flow, but that seems a little awkward.
Do we just need to bite the bullet and use something completely different for mobile Oauth?
Hey @HammerMeetNail,
There currently isn't a way to configure Goth to work on mobile, at least in a way that provides sufficient security guarantees (as far as I know – I'm not very familiar with the current standards or best practices for OAuth on mobile devices).
Goth lacks support for the PCKE challenge (see the nice description or the RFC), which should be required when authenticating users via OAuth on a mobile flow.
I don't have a lot of experience with mobile OAuth authentication, but something like https://openid.github.io/AppAuth-iOS may offer a starting point. This is something I'm going to have to figure out for myself over the next few months, so I'll leave this issue open and keep it updated if I make any progress with regards to Goth.
I know that there are some apps that use an embedded webserver and webview. Would that work for you? I am not familar with iOS app dev.
