Reputation: 13
Is there a secure way to 100% verify the identity of a desktop application against a web-api?
we use the Authentication Code Flow with PKCE to authenticate the users agains our native app (WPA) and some web-apis. Is there an aditional method to verify the the identity of this native app in our web-apis or is the Authentication Code Flow with PKCE secure enough for this case?
Thanks in advance
Upvotes: 1
Views: 32
Answers (1)
Reputation: 58853
As far as I know, there is no way to authenticate the app itself. If the request starts from a device in my network, I can capture the request along with the access token. Then once I have the access token, I can make calls from an app that I wrote, and there won't be a way for your back-end to know otherwise.
You can only verify the user since the identity provider has issued a signed token for them after they have authenticated. In your back-end you need to check the user's access to the resources they are trying to access.
Upvotes: 0
Related Questions
- Is there a way to validate azure app credentials?
- How to secure web api to validate openid token generated by Client application?
- Authorize users of web application and allow them to access the API service
- Authenticating a user in Azure AD through a web api?
- authentication for REST API for apps running on desktop on client side
- What is a good way to secure a desktop application API that is exposed via HTTP+REST?
- Secure way to enabling desktop clients to communicated to webapp
- Authenticate between desktop client and a web application
- Authentication Sceme for RESTful API used by desktop app
- How can I uniquely identify a desktop application making a request to my API?