Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to store OAuth client id on native apps

Tags:

oauth-2.0

I'm working on a native app which will use OAuth to allow the user to sign in (or access material itself) to another website. I know I'll be making use of the implicit flow or authorization code flow for OAuth, however all my research regarding security seems to relate to the client secret.

It seems to be the client id for my app (which is provided by the 3rd party site) will be public and therefore exposed. This would allow someone else to take it and, following the same implicit flow, masquerade as my application. Is this just the nature of oauth?

Is there a way of storing this information so it cannot be stolen?

EDIT: I'd just like to clarify - I understand oauth keeps the user's information safe from my app and ideally interceptors. But what is stopping someone from taking my client id (as it is publicly visible through the auth process) and using it for themselves? Are any measures that can be taken defeated by open sourcing the app?

like image 529
Clown Avatar asked Jun 10 '18 20:06

Clown

1 Answers

The client id can't be protected because it is send as a query parameter in the authorization request.

GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

(You could use a web view inside your native app and hide the address bar, but then your app would have access to the user's credentials.)

Further explanations:

  • Using the implicit flow in native apps is not recommended, because an attacker could register your redirect URI at the OS and could catch the callback with the access token.

  • The authorization code flow is a better option. If you are able to store the client secret securely within your app (see link below), an attacker could use your client id to start the authorization or catch the callback, but he wouldn't be able to use the authorization code to get an access token.

Links:

  • Best practices for storing and protecting private API keys

  • How to avoid reverse engineering of an APK file

  • Best practices for implementing OAuth in native applications

  • RFC for PKCE

like image 130
Matt Ke Avatar answered Oct 13 '22 01:10

Matt Ke
Sign in to Comment

Related questions

OpenId Connect renew access_token in SPA
Snapchat Login Kit error: Missing PKCE parameters
Windows Live Id OAuth with development environment in c#.net
Does anyone know of any good complete resources to achieve google authentication using python?
Google auth2 API has missing timezone info?
Options for Multiple Login (Google/Facebook/Twitter)
Google Analytics 3.0 auth flow
Appengine Cloud Endpoints with new Google+ sign-in
How do I use the appengine/urlfetch package with goauth2?
OAuth for server side apps
Valid Google OAuth2 token unparseable?
Error trying to access "google drive" with python (google quickstart.py source code)
OpenID Connect: Resource Owner Password Credentials
CefSharp.wpf web browser navigated event (C# .Net)
Getting User's Token Subject Identifier (sub) From Within Azure AD
How to use Google MyBusiness API in php
Web API – authenticate with bearer token
Non-interactive authorization with Google OAuth2
Storing oAuth state token in Flask session
Auth0: How to enable silent authentication in Hosted Login Page?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!