My goal is to implement a generic mobile client and backend authentication flow, just for practice. Imagine that I am building a note app that stores user notes on the backend. Instead of implementing my own user management in my backend, I want to rely on some popular OIDC providers to authenticate users from my backend.
The important thing is I am not interested in accessing any user data that OIDC Provider offers. My goal is to verify the user and the client whenever something hits my backend.
My understanding of OIDC Authentication flow is as follows:
IdProvider: the oidc provider
MyClient: mobile application. has
MyClientgenerates PKCE code challenge.
IdProviderauthenticates the user and
MyClientreceives a temporary
- (not sure on this)
MyBackendboth the temp
authorization_codeand the PKCE code verifier for token exchange.
MyBackenddoes token exchange with the
- (also not sure on this)
My justification on step 3 and 5 are this:
client_secret. Therefore token exchange can only be done by
MyClientis responsible for sending the temp
authorization_codeand the PKCE code verifier.
id_tokento hit normal
refresh_tokento initiate the token refresh flow in case
Now in above flow it looks like there is no way I can prevent an attacker from stealing the
client_id and impersonate
MyClient. I have tried to search for sample implementation on the internet but many of them simply rely on the client-side authentication only. For example, this one: https://github.com/awslabs/aws-sdk-android-samples/tree/master/AmazonCognitoAuthDemo asks you to store
client_secret in the client side.. I am not sure why this is acceptable and AWS even built a sample for it?
Any help would be appreciated.