Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.4k views
in Technique[技术] by (71.8m points)

azure - Is there a secure way to 100% verify the identity of a desktop application against a web-api?

we use the Authentication Code Flow with PKCE to authenticate the users agains our native app (WPA) and some web-apis. Is there an aditional method to verify the the identity of this native app in our web-apis or is the Authentication Code Flow with PKCE secure enough for this case?

Thanks in advance

question from:https://stackoverflow.com/questions/65840846/is-there-a-secure-way-to-100-verify-the-identity-of-a-desktop-application-again

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

As far as I know, there is no way to authenticate the app itself. If the request starts from a device in my network, I can capture the request along with the access token. Then once I have the access token, I can make calls from an app that I wrote, and there won't be a way for your back-end to know otherwise.

You can only verify the user since the identity provider has issued a signed token for them after they have authenticated. In your back-end you need to check the user's access to the resources they are trying to access.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...