Can backend verify mobile client using OpenID Connect?


My goal is to implement a generic mobile client and backend authentication flow, just for practice. Imagine that I am building a note app that stores user notes on the backend. Instead of implementing my own user management in my backend, I want to rely on some popular OIDC providers to authenticate users from my backend.

The important thing is I am not interested in accessing any user data that OIDC Provider offers. My goal is to verify the user and the client whenever something hits my backend.

My understanding of OIDC Authentication flow is as follows:

  • IdProvider: the oidc provider
  • MyClient: mobile application. has client_id
  • MyBackend: has client_secret


  1. MyClient generates PKCE code challenge.
  2. IdProvider authenticates the user and MyClient receives a temporary authorization_code.
  3. (not sure on this) MyClient sends MyBackend both the temp authorization_code and the PKCE code verifier for token exchange.
  4. MyBackend does token exchange with the IdProvider.
  5. (also not sure on this) MyBackend sends id_token and refresh_token back to MyClient.

My justification on step 3 and 5 are this:

  • Only MyBackend can access client_secret. Therefore token exchange can only be done by MyBackend and MyClient is responsible for sending the temp authorization_code and the PKCE code verifier.
  • MyClient needs id_token to hit normal MyBackend endpoints. MyClient also needs refresh_token to initiate the token refresh flow in case id_token expires.


Now in above flow it looks like there is no way I can prevent an attacker from stealing the client_id and impersonate MyClient. I have tried to search for sample implementation on the internet but many of them simply rely on the client-side authentication only. For example, this one: asks you to store client_secret in the client side.. I am not sure why this is acceptable and AWS even built a sample for it?

Any help would be appreciated.