Can backend verify mobile client using OpenID Connect?


Objective

My goal is to implement a generic mobile client and backend authentication flow, just for practice. Imagine that I am building a note app that stores user notes on the backend. Instead of implementing my own user management in my backend, I want to rely on some popular OIDC providers to authenticate users from my backend.

The important thing is I am not interested in accessing any user data that OIDC Provider offers. My goal is to verify the user and the client whenever something hits my backend.


My understanding of OIDC Authentication flow is as follows:

  • IdProvider: the oidc provider
  • MyClient: mobile application. has client_id
  • MyBackend: has client_secret

Steps:

  1. MyClient generates PKCE code challenge.
  2. IdProvider authenticates the user and MyClient receives a temporary authorization_code.
  3. (not sure on this) MyClient sends MyBackend both the temp authorization_code and the PKCE code verifier for token exchange.
  4. MyBackend does token exchange with the IdProvider.
  5. (also not sure on this) MyBackend sends id_token and refresh_token back to MyClient.

My justification on step 3 and 5 are this:

  • Only MyBackend can access client_secret. Therefore token exchange can only be done by MyBackend and MyClient is responsible for sending the temp authorization_code and the PKCE code verifier.
  • MyClient needs id_token to hit normal MyBackend endpoints. MyClient also needs refresh_token to initiate the token refresh flow in case id_token expires.

Problem

Now in above flow it looks like there is no way I can prevent an attacker from stealing the client_id and impersonate MyClient. I have tried to search for sample implementation on the internet but many of them simply rely on the client-side authentication only. For example, this one: https://github.com/awslabs/aws-sdk-android-samples/tree/master/AmazonCognitoAuthDemo asks you to store client_secret in the client side.. I am not sure why this is acceptable and AWS even built a sample for it?

Any help would be appreciated.

Mobile phone number spoofing

I received a text message from my son but it came up on my phone as not in my contacts and hence the number was displayed not his name. It was from an iPhone 7 fully up to date iOS and not with any app or other software. He’s only 12 and does not have the ability to download or delete apps. It was sent and receive in the standard Apple iOS messaging app. All messages were sent via the cloud as they appear in blue boxes. Any ideas how this could happen?

Higher risk of no certificate pinning on mobile apps vs web apps?

Talking with people, it is frequently considered that having a mobile application without certificate pinning is a vulnerability. But i rarely see people mentioning it for web applications.

The question is, why is this issue only mentioned for mobile apps? Is there a higher risk derived out of this vulnerability on mobile apps?

Thinking about it, considering that the degree of difficulty is about the same for installing a rogue certificate on both pc and mobile, i would say that the vulnerability should exist in both cases, but in the case of web apps, there would be no remediation action since the hpkp which i think is the only way to achieve cert pinning is becoming obsolete.

Now none of the people i’ve talked with could give some reasonable explanations, so that’s why i wanted to see if there is indeed any good justification for the mobile cert pinning.

How do melee spell attacks interact with the Mobile feat? [duplicate]

The Mobile feat states that:

When you make a melee attack against a creature, you don’t provoke opportunity attacks from that creature for the rest of the turn, whether you hit or not.

Does that include melee spell attacks like green-flame blade or even steel wind strike?

So let’s say you are surrounded by enemies and you cast steel wind strike and attack everyone around you. can you then safely walk out without provoking opportunity attacks?

Mobile phone Number Listings – An Easy Way to Obtain Detailed Info on Any Phone

It is safe to say that you are feeling suspicious that your adoration accomplice might be undermining you? Is your accomplice showing indications of unfaithfulness? Is it true that you are getting irritating phone number list calls regular or night and when you answer, they hang up the telephone? On account of the web, you would now be able to stop your doubts by counseling mobile phone number postings. 

In the event that your doubts are excessively solid and your accomplice denies doing anything incorrectly, you can attempt to access their phone and search for any numbers that are more than once dialed to or accepting calls from. Don’t simply remember them. Record them and afterward do a versatile number inquiry on the web. 

Maybe your need to do a cell number hunt isn’t as radical as an unfaithful accomplice. Perhaps you simply need to refresh your mailing list since you are arranging a wedding or a major occasion and you need to ensure everybody will get their solicitations. 

Despite what your purposes behind doing this are, you can discover a ton of data on the web and in particular, feel consoled that this information will be extremely precise and forward-thinking. 

Among the data that you will get is name and address, kind of telephone they use and transporter they are in contract with. Work status and other foundation data. 

The entirety of this you can do at home or your office and all you need is a PC and access to the web. From that point, it is going great and you will should simply include the telephone number that you have into the site and you will gain admittance to PDA number postings for all intents and purposes in a split second.

GSC Coverage vs Mobile Usability discrepancy in count

I ran Excel VLOOKUP against all of the files GSC Coverage lists, versus all of the files GSC mobile usability says are mobile friendly. About 30% of the pages listed in Coverage are not included in the Mobile Usability list. However, when I run them through GSC’s URL inspection, it says that these missing pages are mobile friendly.

Is this something I should be concerned about? Will this impact what URLs are visible to mobile searches?

Is There a way to add an Arrow to Google CSE Refinements via the Mobile Search Layout?

EDIT: This has to do with Google CSE on my WordPress site. If this is not the correct forum, I apologize.

I was just wondering if there was a way to add an arrow or something indicating that mobile users can swipe through the refinement labels via Google CSE? I am not sure how most people know to swipe through them so it could be overlooked.

Thanks and regards,

Josh

Is the Mobile feat worth it for a monk? [closed]

I’m new to D&D and am interested in playing a monk character. From what limited research I have done, it appears to me that the monk is a mobile character who tries to avoid being hit and flits in and out of the range of their opponent, which brings with it the major concern of opportunity attacks.

There are two solutions to this issue that I am aware of: spending a ki point to Disengage as a bonus action, or taking the Mobile feat. However, both have issues.

Especially at lower levels, ki points are scarce and spending one on Disengaging as opposed to using Flurry of Blows would seriously hinder damage output. Furthermore, it can only be done a very limited amount of times, weakening the monk’s mobility.

Taking the Mobile feat carries its own issues. Ability scores are very important to a monk since it relies on three different abilities (Dex, Wis, and Con), so taking the Mobile feat at 4th level will hurt the monk in the long run.

In short, is it better to take the Mobile feat or use ki to Disengage?
Furthermore, if it is better to take the Mobile feat, should it be taken with the variant human’s free feat at 1st level, or at 4th level?

What is the use case of request signing in this mobile app?

The API of a mobile app I was testing is receiving the AWS AccessKeyId and SecretKey used for request signing from the AWS Cognito server unencrypted (apart from the regular TLS encryption). Making it possible to re-sign all requests to their AWS Lambda API, e.g. using Burp’s “AWS Signer” extension.

With this, a Man-In-The-Middle could sign all altered requests, so I wonder what the actual use case of request signing is, in this instance?

Shouldn’t the AccessKeyID and SecretKey be kept secret?

The owner of the app is telling me that this is not an issue because they are following the AWS guidelines.

Is that correct? Or are they doing something wrong?

Why would they sign the requests in the first place in their mobile app? What is the use case of signing the requests, when the ‘secrets’ for creating a signature are distributed via the same connection in clear (except TLS)?

Is this conform with best practices, when using AWS Lambda for serverless mobile app APIs? Is request signing even useful in this instance? Most apps I have tested didn’t use request signing.