I am creating an Android app that will be using a Django backend, along with the Django Rest Framework. I have been reading the OAuth2 documentation, but am still struggling to understand a few key points about its authentication.
These are my main questions/things I'm struggling with:
I'll be using the word "app" to mean two different things:
app, to indicate Oauth2 app, which you'll create to register your mobile app(s)
app, to indicate mobile app.
app is basically a way of registering a
client (in this case, your mobile app) with the
resource server (in this case, you
Django backend). You can go either ways, creating two separate
apps or a single
app for your Android and iOS apps. Unless you are not planning to give users of one app some more privileges or features, I don't see benefit in creating two separate
Each user is granted a different
You'll have to store
client_secret in some secure way on your mobile app(s). Because that's what will help you gain an
access token for a user, in first place. You'll also store
access token after obtaining it, because it will be needed in making authenticated HTTP requests.