#StackBounty: #mobile #oauth-2.0 #identityserver4 #openid-connect #appauth Can this OAuth2 Native app flow be considered secure?

Bounty: 50

I have an OpenID Connect provider built with IdentityServer4 and ASP.NET Identity, running on let’s say: login.example.com.

I have a SPA application running on let’s say spa.example.com, that already uses my OpenID Connect provider to authenticate users through login.example.com and authorize them to access the SPA.

I have a mobile app (native on both platforms) that is using a custom authentication system at the moment.

I thought it would be nice to get rid of the custom auth system, and instead allow my users to log-in with the same account they use on the SPA, by using my OpenID provider.

So I started by looking on the OpenID connect website and also re-reading the RFC6749, after a few google searches I realized that was a common problem and I found RFC8252 (OAuth2 for Native clients), also Client Dynamic Registration (RFC7591) and PKCE (RFC7636).

I scratched my head about the fact that it was no longer possible to store any kind of “secret” on the client/third-party (the native apps) as it could become compromised.

I disscussed the topic with some co-workers and we came out with the following set-up:

  1. Associate a domain let’s say app.example.com to my mobile app by using Apple Universal Links and Android App Links.
  2. Use an AuthenticationCode flow for both clients and enforce them to use PKCE.
  3. Use a redirect_uri on the app associated domain say: https://app.example.com/openid
  4. Make the user always consent to log-in into the application after log-in, because neither iOS or Android would bring back the application by doing an automatic redirect, it has to be the user who manually clicks the universal/app link every time.

I used AppAuth library on both apps and everything is working just fine right now on test, but I’m wondering:

  1. Do you think this is a secure way to prevent that anyone with the right skills could impersonate my apps or by any other means get unauthorized access to my APIs? What is the current best practice on achieving this?
  2. Is there any way to avoid having the user to always “consent” (having them to actually tap the universal/app link).
  3. I also noted that Facebook uses their application as a kind of authorization server itself, so when I tap “sing-in with facebook” on an application I get to a facebook page that asks me if I would like to” launch the application to perform log-in”. I would like to know how can I achieve something like this, to allow my users login to the SPA on a phone by using my application if installed, as facebook does with theirs.

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.