CODEWITHSUNDEEP
oauth-2.0oauthidentityserver4identityserver3
Yuriy Gavriluk
Yuriy Gavriluk

Reputation: 94

OAuth 2.0 Client Identity for Mobile Native App and pure JS client

I was reseating OAuth docs and understand that https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce is better than Authorization Code Flow, because it gives less possibility to get clients code and exchange it for access_token

Also I saw that there were cases in the internet when client secrets where reversed from big mobile applications like facebook or twitter

So for me it is still not clear how to get client identity implemented properly e.g. if I use resource owner grant type I have client id and client secret stored in my app and this can be reverse engineered and anybody can build the same application as mine

if I use Authorization Code Flow with Proof Key for Code Exchange I still don't have any secret inside my app. So it means that any developer can built his own app that will be mirror of my app.

So the question if there any wasy to implement client identity properly for mobile app and pure JS (browser) clients ?

UPDATE there are 2 great options 1 - use redirect urls 2 - setup CORS

1 howerer I think it will not help if I will try to mimic bahaviour with back-end code. E.g. I don't really need to have access to web site to see that at some point it will give redirect in header and I just get the message and have this authorization code 2 the same for CORS in case for my mirror site I will do getting token from backend the server will not identify that client is not the original and that has rights to work with this client

Upvotes: 0

Views: 287

Answers (1)

nahidf
nahidf

Reputation: 2394

So the question if there any ways to implement client identity properly for mobile app and pure JS (browser) clients ?

Per spec, client authentication is mandatory for Authorization code flow. redirection URI is a suggested solution to help on client Authentication.
Here is options on IDS4 to help authenticate the client:

  1. Using RedirectUris on client config to specify the allowed URIs to return tokens or authorization codes. Ref
  2. using CORS. The browser's same-origin policy blocks reading a resource from a different origin. We can add our client to list of allowed cross-origin calls.

Code example:

new Client
{
    ClientId = "js",
    ClientName = "JavaScript Client",
    AllowedGrantTypes = GrantTypes.Code,
    RequireClientSecret = false,
    RedirectUris = { "https://localhost:5003/callback.html" },
    PostLogoutRedirectUris = { "https://localhost:5003/index.html" },
    AllowedCorsOrigins = { "https://localhost:5003" },
    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile
    }
}

Upvotes: 1

Related Questions