OpenID Connect Authentication Flow (using KeyCloak) in a Mobile App + REST Backend

I believe Resource Owner Credentials flow should be avoided unless really needed AND the client app and environment are under your own full control. You may have full control over the app but you cannot control the phone OS (security updates, …) This blog post goes over the various problems. I do not fully agree … Read more

Should clients get OAuth 2 access tokens using GET or POST?

The most common argument is that you should not put sensitive information in a query string (GET parameter) as Web servers typically log the HTTP request URL. POST data can be arbitrarily long, so is not usually logged. Therefore when you’re dealing with something like client_secret or code (although it’s one time use), it makes … Read more

Can I really not ship open source with Client ID? [closed]

On November 5th 2014 Google made some changes to the APIs terms of Service. Like you I had an issue with the following line. Asking developers to make reasonable efforts to keep their private keys private and not embed them in open source projects. I have several open source projects on GitHub they are basically … Read more

Get started with Office 365 REST API

[Update Aug 20th, 2015]: It looks like there is a new getting started experience, which will help register your app, and even create a starter project in the language of your choice. I would certainly recommend trying that first, rather than going through the manual steps outlined below. To register apps manually (e.g., not through … Read more