authentication - Should I use PKCE for OpenID Connect with Native Desktop Application?
问题描述
I want to use OpenID Connect for my native windows and Linux desktop applications to authenticate my users.
As stated in "OAuth 2.0 for Native Apps" Section 7.3 I want to open a local TCP port to redirect from the Authentication Server to get the Authorization Code. I think there is no other option to use for native apps which work both for Windows and Linux.
So the flow would be like:
- Native app starts and shows login button
- When login button is pressed
- native apps opens a ephemeral, local port
- browser opens with login page of authentication provider (sending along the client id and secret, redirect URI and scope openid, response_type=code)
- After successful authentication of user in browser
- the authenication provider redirects to the redirect URI, which is the local open port
- the local port should display something like "close browser now and go back to app" to user
- Native application gets code from redirect and closes port
- Native application asks the token endpoint to get the identity token using the code
- validate the identity token using the signature
- will be able to get the details of the user out of that identity token
My question now is do I need PKCE? I found this article which states it does not bring any extra safety apart from making sure that when another app on the same device has registered the same Private-Use URI Scheme Redirect.
Is my plan in any other way flawed or needs further improvements? I understand that the client id and secret can be seen as "public" because they ship with the software and could be reverse engineered. But my software will not be available on public web pages (hopefully) and only be given to trusted customers (which will all have different client id and secrets).
解决方案
I struggled a bit to understand desktop flows also. I'd recommend private uri schemes as the best solution - I have some cross platform write ups starting here that might give you some ideas: https://authguidance.com/2018/01/11/desktop-apps-overview/
Feel free to ping me any follow up questions, Gary
推荐阅读
- ios - tableview不同的单元格在swift中有不同的高度
- javascript - 重新部署时看不到应用程序更改?
- aws-lambda - 用于 Lambda 代理集成的 Terraform API 网关
- typescript - 打字稿承诺必须正确处理
- mysql - 为什么要在数据库中插入格式说明符?如何解决这个问题?
- caching - 颤振缓存
- tabulator - 如何在制表符移动行上触发事件
- c++ - 如何在类声明之外使用 c++::enable_if 定义类成员函数
- postgresql - Knex 没有从 knexfile 读取连接字符串
- python - 秒表 - 停止和启动 Python