One GPII security issue is to protect the communication between native GPII apps and GPII Cloud. That means, at receiving http requests, GPII Cloud needs to ensure these requests are sent from authorized native GPII apps rather than random sources.
After some research, OAuth2 resource owner password credentials grant is selected as the solution for this security issue: each native GPII app will be assigned an unique client credential, a pair of client id and secret. This client credential will be stored within the native GPII app. Before accessing any user information from GPII Cloud, the native GPII app needs to send the client credential to GPII Cloud where the client credential will be verified to ensure the party at the other end is an authorized GPII app.
This JIRA is an umbrella JIRA that includes sub-task JIRAs in order to implement this design, which uses a dedicated process called "GPII access requester" to store the assigned client credential within the native GPII app and communicate with GPII Cloud to request access tokens by providing client credential.
Related research and design documentation: