0

I am currently working on my own iOS application and am going to be using a locally developed API for fetching data. I wanted to outline my current account sign-in architecture and verify this is correct and can prevent as many security holes as possible.

I will be using Patreon OAuth to verify the person logging in is actually a member of my Patreon group. If that person is not already signed up, we will go through the OAuth process and create an account grabbing data from Patreon when and if the oAuth is successful. I guess my question here is, is it reasonable to assume if the OAuth connection is successful, I can then issue that newly created user a JWT that is stored in my iOS user defaults and they can use that to make API calls to the API I have made?

Improve this question
2
  • What you're describing here depends on your Identity Provider(IdP). Many IdPs support some form of additional custom steps and/or hooks as part of its auth flow which you can use to communicate with your API (the iOS app should not be involved). Such mechanisms are down to the IdP and not part of the OAuth2 spec however; so you need to consult their documentation to understand what capabilities exist, if any. Commented Jan 15, 2023 at 10:13
  • However, a quick glance at the Patreon OAuth documentation suggests that Patreon explicitly warn against using it as an Identity Provider for your app. In other words, there is no secure way for what you're trying to do here, you will need to choose a different identity provider for your app and connect that provider with Patreon instead: patreon.com/portal/start/oauth-explained Commented Jan 15, 2023 at 10:19

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.