* figure out your risk posture
* secure your bearer token if you are using it
* if you need higher levels of assurance, then use DPOP https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-04
The other thing to consider is whether you are first party or third party. If you are really using third party auth, then you should follow RFC 8252 as linked above and pop out to the system browser. Otherwise you may use a webview (because if you control both ends, the tradeoff in improved UI may be worth the increased risk).
Definitely agree on reading the specs. If you are interested in OAuth in general, it's worth reviewing the OAuth 2.1 doc, which is a work in progress but will consolidate a lot of best practices: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/
I attended this session at Identiverse 2021: https://identiverse.com/idv2021/session/SESBSMQ1FA07QHXBG/ I don't think the video was online, but as I recall his advice was:
The other thing to consider is whether you are first party or third party. If you are really using third party auth, then you should follow RFC 8252 as linked above and pop out to the system browser. Otherwise you may use a webview (because if you control both ends, the tradeoff in improved UI may be worth the increased risk).Definitely agree on reading the specs. If you are interested in OAuth in general, it's worth reviewing the OAuth 2.1 doc, which is a work in progress but will consolidate a lot of best practices: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/