[richardknop]

The go-oauth2-server contains simple web forms (which you can style to match your UI) to handle the full authorization and implicit flows of OAuth2 so you would connect to the oauth2 server from your app, log in and be redirected back to the app with authorization code and then the app can obtain access and refresh tokens from the oauth2 server via API call.

This is a normal authorization flow people are used to from Facebook/Github/LinkedIn, works the same way. See README for images of how the forms look out of the box, without any customization.

If you want to have in app login system, then for such scenario usual way I have implemented this before is to have a separate frontend layer and it works something like this:

1) Frontend (mobile/web app) displays login form

2) Enter username and password

3) Use resource owner credentials grant to obtain access token via API call

4) Now you can make authenticated API calls with the access token (and use refresh token in the background to renew your access token)

In case of web application frontend (let's say NodeJS app), the app would store client ID and secret server side (so you would proxy all requests from client app to Node proxy because we don't want to keep client ID and secret in public JS).