OAuth2 / OIDC
Overview
This guide provides a comprehensive explanation of integrating an OAuth 2.0 / OpenID Connect (OIDC) authentication flow into applications using the Applicaster platform. OAuth 2.0 is a widely adopted framework for delegated authorization, and OIDC is an identity layer on top of it. For a deeper understanding, you can refer to the OAuth 2.0 RFC 6749 and the OpenID Connect Core 1.0 specifications. The integration process varies across different platforms due to their unique constraints, including Mobile, TV, Web, and Roku.
1. General Concepts
- OAuth2 is a framework for delegated authorization.
- OIDC extends OAuth2 with identity information (ID tokens).
- Applicaster apps use the OAuth2 Login plugin and TV OAuth2 (or Login Flow for Roku) plugin to authenticate users, receive tokens, and make authenticated API calls.
- PKCE (Proof Key for Code Exchange) should always be enabled for public clients (Mobile, Web).
- Different flows are required depending on platform capabilities:
- Mobile/Web → Authorization Code + PKCE
- TV → Device Authorization Grant
- Roku → Applicaster’s Login Flow, which requires ROPC (Password flow) under the hood
2. Platform-Specific Guides
2.1 Mobile (iOS / Android)
Authorization Service Setup
- Register a Native App client.
- Enable Authorization Code + PKCE flow.
- Configure Redirect URIs — they must include the app URL scheme as described below.
- For iOS, use <app_url_scheme>://oauth. For example, if the app url scheme is
myapp
setmyapp://oauth
. - For Android use com.oauth2.<app_url_scheme>://oauth, For example, if the app url scheme is
myapp
setcom.oauth2.myapp://oauth
. - Add required scopes (
openid
,profile
,email
,offline
). - Enable refresh tokens if long sessions are needed (usually setting
offline
scope enables refresh token, but this could vary between providers).
Plugin setup
- Add OAuth2 Login plugin in Zapp Studio.
- Provide
client_id
,redirect_uri
,issuer
or explicit endpoints (Authorization, Token, Revocation, etc). - Configure scopes, storage key, optional extra params.
- Flow: App opens browser → user logs in → redirect URI → plugin exchanges code → tokens stored.
2.2 TV (Smart TV, Apple TV, Android TV)
Authorization Service Setup
- Enable Device Authorization Grant (device code flow).
- Register a TV Client with allowed scopes.
- Provide device authorization + token endpoints.
See Applicaster’s Device Authorization Grant guide for more info.
Plugin setup
- Configure client ID, device authorization endpoint, token endpoint and refresh endpoint in the layout used by the app.
- App calls device authorization → shows code + URL → user authorizes on another device → TV polls token endpoint → receives tokens.
Notes
- Must respect polling interval.
- Handle errors:
authorization_pending
,slow_down
,expired_token
.
2.3 Web
Provider-side setup
- Register a Web/SPA client.
- Enable Authorization Code + PKCE.
- Configure redirect URIs and allowed origins.
- Provide scopes.
- Applicaster apps are deployed on the server and could use a secret key, the secret should be set when deploying the web app.
Plugin setup
- Configure client ID, redirect URI, issuer/discovery or manual endpoints.
- Flow: browser redirects → user logs in → callback → exchange code → tokens stored (session/local storage).
2.4 Roku
Roku devices impose strict certification requirements: all account sign‑ups and sign‑ins must occur entirely on the device itself, with no external webpages, links, or off-device login flows allowed. (Roku Developer Guide).
Because of this, Roku integrations must use Applicaster’s Login Flow, which leverages the Resource Owner Password Credentials (ROPC) grant under the hood.
Provider-side setup (Roku)
- Enable ROPC grant in your OAuth2/OIDC provider (required for Roku).
- Register a dedicated Roku client with minimal scopes (e.g.
openid
,profile
). - Ensure your token endpoint accepts
grant_type=password
requests.
Plugin setup (Roku)
- In Zapp Studio, configure the Login Flow plugin.
- Provide:
- Client ID (Roku client)
- Token endpoint URL
Flow (Roku with Login Flow)
- Roku app presents an on-device login form.
- User enters username + password.
- Tokens (access, refresh, ID) are returned and stored locally.
- Logout clears tokens and optionally calls revocation endpoint.
Why Login Flow Is Required
- Roku mandates on-device registration and authentication for certification.
- Applicaster’s Login Flow plugin ensures compliance while maintaining integration with OAuth2/OIDC backends.
- This is the only supported method for Roku integrations.
3. Best Practices
- Redirect URIs must match exactly.
- Always use PKCE for public clients.
- Implement token refresh handling.
- Clear tokens properly on logout.
- For Roku: use Login Flow to comply with Roku’s on-device registration requirement.