authentication - Should I use PKCE for OpenID Connect with Native Desktop Application?

问题描述

I want to use OpenID Connect for my native windows and Linux desktop applications to authenticate my users.

As stated in "OAuth 2.0 for Native Apps" Section 7.3 I want to open a local TCP port to redirect from the Authentication Server to get the Authorization Code. I think there is no other option to use for native apps which work both for Windows and Linux.

So the flow would be like:

• Native app starts and shows login button
• When login button is pressed

• native apps opens a ephemeral, local port
• browser opens with login page of authentication provider (sending along the client id and secret, redirect URI and scope openid, response_type=code)

• After successful authentication of user in browser

• the authenication provider redirects to the redirect URI, which is the local open port
• the local port should display something like "close browser now and go back to app" to user

• Native application gets code from redirect and closes port
• Native application asks the token endpoint to get the identity token using the code

• validate the identity token using the signature
• will be able to get the details of the user out of that identity token

My question now is do I need PKCE? I found this article which states it does not bring any extra safety apart from making sure that when another app on the same device has registered the same Private-Use URI Scheme Redirect.

Is my plan in any other way flawed or needs further improvements? I understand that the client id and secret can be seen as "public" because they ship with the software and could be reverse engineered. But my software will not be available on public web pages (hopefully) and only be given to trusted customers (which will all have different client id and secrets).

标签： authenticationopenid-connectnativeapplicationpkce