How to more secure OAuth2 Request?

Question

I'm trying to secure my API service by using OAuth2. In below scheme, phone request to OAuth server and I'm using SSL pinning between my API Server and client but I'm not sure If It can be exposed via main in the middle attack;

1-) An attacker can get OAuth url with MIMA and for example attack DDOS?

2-) Can attacker reach keychain on iOS and get JWT?

3-) Can attacker get certificate with MIMA or reverse enginner? So that SSL pinning become non-secure?

Answer 1

I'm trying to secure my API service by using OAuth2.

First of all, your scheme is not accoding with OAuth2 flow. See RFC6749.

The API server should play two roles (theoretically, not necessarily two servers)

• Authorization server: Authenticates the client and issues an access token
• Resource server: Protected resources which requires to present a valid access token

The app does not ask to user for username/password directly. The request is made by the Authorization Server using web redirections, so user's credentials are never requested by the client apps.

1-) An attacker can get OAuth url with MIMA and for example attack DDOS?**

Oauth2 URL can be public. This is not a problem

2-) Can attacker reach keychain on iOS and get JWT?

No, it is protected by Operating System

3-) Can attacker get certificate with MIMA or reverse engineer? So that SSL pinning become non-secure?

The pinning certificate is public and usually are published by the Certificate Authority. It is a reduced set of CA's root certificates that are accepted by the client when establishing an SSL connection. An attacker can not present a valid certificate of this CA because he does not own the private key, so he can not perform a MITM attack.

---

Disclaimer: Oauth2 was designed mainly for web applications. If you use native applications I suggest using OpenIdConnect, which is an extension of OAuth2, to avoid the intensive usage or web redirections