.NET Oauth2 Auth Flow if Token Already Exists

Question

I have a .NET application that integrates with a web server to show users information from their online profile on their desktop computer.

The native apps currently use an API ID and Password for API requests to our server but we want to upgrade to OAuth2 tokens for authorization. I understand the authorization code flow and PKCE security requirement for native apps and how that flow works when a user doesn't already have a token. What I don't understand is how to securely store the token on the client machine (for use in future API requests) after it is retrieved from the token server.

If I understand correctly, the client should store their access token and use it for future API requests until it expires, at which point a new token can be requested. But how can this be the case when PKCE is used because we can't trust local storage for client secrets?

Any help is greatly appreciated!

Answer 1

For native apps you can use built in OS secure storage, which will store a refresh token securely, scoped to the user and app, encrypted with a user specific secret.

Some screenshots here may help you to understand what this looks like: https://authguidance.com/2018/01/26/final-desktop-sample-overview/

If it helps you can run my demo app by following instructions here: https://authguidance.com/home/code-samples-quickstart/