Hi! I’m trying to work on yet another OGS iOS client. Based on forum posts and third-party clients I’ve tried, it seems like the Way Things Are Done is to manually ask the user for their password and send off an OAuth token POST request to http://online-go.com/oauth2/token with response_type=password.
I’m not wild about this — I’d really rather not be responsible for managing the user’s password. For a situation like this (a mobile app with no server component), the flow I’d expect (per e.g. the RFC for OAuth2 for native apps) is to kick the user out to an external web browser (either standalone Safari or a SFSafariViewController component I do not have the ability to sniff) to go through an official OAuth login flow on the official online-go.com login screen, passing in a redirect_uri that has my app’s custom URI scheme, so after login happens my app will be re-foregrounded and have access to the valid token. Ideally this would be with PKCE (which I assume isn’t supported) but the more basic version would use an authorization-code grant (aka response_type=code), which is an option in the OAuth app config UI.
However, if I go to https://online-go.com/oauth2/token/?response_type=code&client_id=CLIENT_ID&redirect_uri=ALLOWED_REDIRECT in my web browser, I get a 405, suggesting that this is a valid endpoint that explicitly does not allow GET requests. If I go to Play Go at online-go.com! | OGS, I of course get the expected sign-in screen, but that is (reasonably, expectedly) not set up as an OAuth endpoint that respects OAuth query params.
Is this flow supported at all, possibly at a different endpoint? As mentioned, the existence of “authorization-code” as a valid authorization grant type in the OAuth app management tool suggests it might be, but it’s leaving me unclear how to actually implement it.
OGS OAuth2 flows and Is there a way to integrate the authorization flow which allows users to "log in with Online-go" seem to be people asking more or less the same thing, so I’m not optimistic, but figured I’d at least try to confirm that what I’m trying to do isn’t supported.