I'm working on a native Swift iOS app. I've done a lot of reading recently about OAuth 2.0, including this answer, a fair bit of RFC 6749, and several other tutorials. There are lots of comments about how using an embedded webview isn't ideal, because cookies can't be kept secure, hence SFSafariViewController and ASWebAuthenticationSession.
But I haven't seen much talk about a login without a webview/browser at all, collecting user credentials through a UIView form, using a Resource Owner Password Credentials Grant and sending data directly with a URLRequest. I'm building my own application, with my own resource server, and my own authentication server (or using something like Auth0), which is only handling access to my app's protected resources. So everything is 'highly trusted' here. But I've seen notices like the following concerning a resource owner password credentials grant (from here):
The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.
Technically, using another flow is 'viable' - I could build it. Does using an external user-agent, SFSafariViewController or ASWebAuthenticationSession still offer security benefits that can't be matched with a native login in this scenario?
