authentication - Is this a valid use-case for the Resource Owner flow?

Question

Background

I am building a backend api that will be called by my mobile app. This api will not be made public and will only be used by my mobile application(at least that's the plan as of now). The users of the mobile app will be able to login using their Facebook/Google details or they can create a local account on the application and log in with that

Question

Is the third case (The local account login) a valid use-case for using the Resource-Owner password flow? I see this flow now has a bad rep but if the API is only used by my mobile app(which is a trusted client), is it okay to use this flow?

question from:https://stackoverflow.com/questions/65937427/is-this-a-valid-use-case-for-the-resource-owner-flow

Answer 1

ROPC is a valid use case if the trust is not a problem. I do think in your case, it can be considered, assuming your users 'trust you' with their credentials.

If your application is not using browser, probably it is ok to use it (of course considering many other facts like trust, how password is stored etc. )

I think the main reason to avoid ROPC grant is because there are (more) chances for Phishing. A consumer may get fooled easily since you login screen is not 'that popular' like google or Facebook and they enter the credentials at wrong place, and your application is at risk.