Credentials for REST API

Question

So basically i got my App ready for Distribution (it only will distributed among our Customers, not worldwide via Internet). It is a simple WPF (.net Framework 4.8) App which interacts with a defined REST API. But to interact with said API i need, of course, Credentials (User, Password and a Hashed string from a ClientID and ClientSecret). Currently i got this information as plain text in my Source Code... which is obviously NOT the final solution.

As i read quite a bit about different methods (SecureString, RFC2898DeriveBytes, Salts, Peppers etc) of protecting the passwords i continuously lost my focus.

So long story short, the Request to the API must look like this:

POST https://server.domain.tld/MobiControl/api/token HTTP/1.1
Host: server.domain.tld
Authorization: Basic QXBwbGljYXRpb24xOkFwcGxpY2F0aW9uMVBhc3N3b3Jk
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
grant_type=password&username=Administrator&password=1

As the Body contains username and password in plaintext i am asking myself, is it even possible and does it make sense to safely encrypt the credentials in the Source Code?

Answer 1

Are the credentials to the API always the same or can/do they depend on who's using the WPF application? If you're simply using the WPF user's credentials or something based on them, you're fine. There is no fullproof way to secure your credentials inside binaries that you're giving out to third parties. You can make it harder to extract by encrypting the credentials but by definition the decryption key also has to be in your app.

I'm guessing you don't control the API? Otherwise the only way is to let the end user's credentials give access to the API.