Is an “inversed” Device Authorization Grant flow secure for authenticating a daemon/service native app to a web server?

I am working on a hobby project which will involve a web server (hosted and owned by me) and a native app (which will communicate with the web server periodically) an end-user can install via a deb/rpm package. This native app has no traditional UI (besides via command line) and can be installed on browser-less environments. Additionally, I’m trying to avoid registering custom URL schemes. As such, I do not wish to use redirect flows, if possible.

The web server and the native app will both be open source and the code will be visible to everyone, but I suppose it shouldn’t matter in the context of authentication. However, I wanted to point that out in case it matters.

So far, during my research, I’ve come across two mechanisms which seem suitable for what I am trying to achieve:

  • Resource Owner Password Credentials Grant
  • Device Authorization Grant

Unfortunately, I’ve come across a lot of articles and blogs stating that Resource Owner Password Credentials Grant should no longer be used. Not sure how much weight I should give these articles, but I’m leaning towards Device Authorization Grant for now.

From my understanding, one of the steps involved in this grant is the client will continuously poll the server to check if the user has authenticated the client. However, instead of polling the server, why not flip the place where the code is entered?

In other words, instead of the client/device displaying a code to the user and the user then entering the code on the server, why not display the code on the server and have the user enter the code into the client? This way the client doesn’t have to needlessly poll the server? Does this not achieve the same thing? I’m really not sure though. I want to ensure I’m not missing something before I implement this.

This is how I envision the general flow for users using my project:

  1. The user would register an account on my site (i.e, the web server). This is just a traditional username and password authentication.
  2. The user can then download and install the deb/rpm package which contains my native app. Although, it should be noted that there’s obviously nothing preventing the user from installing the package without registering an account on the server. The whole point of this authentication is create a link between the account on the server and the native app.
  3. Prior to enabling the daemon/service functionality of the native app, the user will need to authenticate the native app to the server.
  4. To do so, the user can log into the server (using their regular username/password creds) and generate a temporary token.
  5. The user can then use the CLI functionality of the native app to use this temporary token. For example, the user may type my_app_executable authenticate, where my_app_executable is the binary executable and authenticate is the parameter.
  6. This will prompt the user to enter their username and the temporary token.
  7. The app will then send the entered username and temp token to the server which will validate this combination. If it’s valid, the server will send a access token back to the app.
  8. The app can then use this access token to communicate with the server. Authentication complete.

Based on this, I have a couple of questions:

  1. Does this flow seem secure? Is there an aspect of this that I’m overlooking?
  2. Is it okay to more or less permanently encrypt and persist this access token on the filesystem? If the user turns off the native app for months and then they turn it back on, I would like it to function normally without making the user authenticate again. I suppose I’ll need to implement a way to revoke an access token, and I’m thinking about tracking this in the database on the server side. This would mean that for each HTTP request from the app to the server, the server will need to make a DB check to ensure the access token hasn’t been revoked.

Is there some native way to control the “sentence start space” in CSS? [closed]

In plain text, it has long been a practice to do:

This is a sentence.  This is a new sentence.  This a third sentence. 

That is, double spaces for each new sentence, heavily improving readability.

In HTML, this is not (obviously) possible. If you try the same, it’s rendered as:

This is a sentence. This is a new sentence. This a third sentence. 

There are “insane hacks”, such as   , but that is both ugly and highly impractical.

One might also probably code something which automates this server-side, such as adding a <span class="new_sentence"> wherever there is a new sentence, and then style that class in CSS to have some right-margin, but that requires “processing” and again doesn’t seem elegant/right.

Is there really no CSS property called something like sentence-start-margin or something like that? I lost track of CSS features somewhere in 2005, so it’s been 15 years of me basically stumbling over random features in both modern HTML, JS and CSS, and for all I know, this could well exist. I hope it does. It’s frankly very strange if it doesn’t.

The single spaces everywhere make my eyes blur together the text and it makes it very hard for me to follow. I kept wishing that Silmarillion had used double spaces for new sentences as I was reading it.

How to ensure your own native app is talking to your own API

I’m developing an API and different apps to access to it, each with different scopes, including a native mobile app, and I’m wondering what would be a good strategy to authenticate my own native app to my own API (or more specifically my users).

I can’t find a recommended method to guarantee that it is really my client (in this case a native app) which is talking to my API.

For example, if I implement the Authorization flow to authenticate my users. Let’s say I have a server acting as the client mobile.mydomain.com, so my mobile app make requests only to mobile.mydomain.com and mobile.mydomain.com is be able to securely talk to api.mydomain.com as the client id / client secret is never exposed to the public.

So far so good, api.mydomain.com is sure that calls are from mobile.mydomain.com however mobile.mydomain.com isn’t sure who is sending requests to it and it’s still possible to impersonate my mobile app by making another app that just includes the same login button and does the same oauth2 process and finally get a token to continue talking to mobile.mydomain.com.

How is that different from using the Password flow (which isn’t recommended I know) and embedding the client id / client secret in this case? (client_secret being completely useless in this case)

=> basically from the api point of view, it just needs to know what is the client id.

How does google to make sure that a request is really from the Gmail app and not from another app doing the exact same thing with the same redirect uri etc? (which wouldn’t be harmful anyway as it requires a username / password). I guess it can’t know for sure

PS: I’m aware that OAuth2 isn’t for authentication but for authorization only

Do any API-based CASB use native DLP features in cloud applications?

I think I’ve understood what CASB are and the differences between proxy/API-based architectures. What is still unclear to me is how exactly API-based CASB function.

I know most products use APIs to traverse the cloud documents storage to download and inspect the documents. Or maybe even use APIs to download auditing logs from the service. But for example Office 365 offers DLP features such as Exchange Mail Flow Rules or Office 365 DLP rules. Do any API-based CASB also automatically configure and use these DLP functions?

OAuth native app without localhost redirect

Section 4.1 of RFC 8252 describes the OAuth authorization flow for native apps using the browser (i.e., external user-agent). In this flow, the native app receives the authorization code in step 4 by setting the redirect URI to the loopback IP. This, of course, requires the native app to open a port on the loopback interface and subjects us to attacks where other apps could get the authorization code (unless we use something like PKCE).

Our system is a client-server model where the clients are various custom command line tools with no real user interface. In our deployments, we can’t always guarantee that we will be able to open a port on the loopback (and we’d like to avoid the added security concerns that PKCE addresses). We would like to tweak the flow for our use case but want to make sure we aren’t leaving the door open for security issues. Here is the flow we’d like to use:

  1. Command line tool initiates intent to perform OAuth flow to Application Server.
  2. Application Server generates a random in progress session token and a separate random OAuth flow state value
  3. Application Server stores both values in the database together
  4. Application Server returns both values to the Command line tool
  5. Command line tool launches the external user-agent (e.g., browser) and starts the authentication process against the Authorization Server using the OAuth state value provided by the Application Server
  6. User authenticates
  7. Authorization Server redirects to the Application Server along with the state value
  8. Application Server retrieves authorization code and stores it in the database along with the in progress session token and OAuth state value
  9. Command line tool submits the in progress session token to the application server
  10. Application server retrieves the authorization code from the database and treats it as if the command line tool provided it

Outside of the potential for DoS abuse on submitting lots of OAuth initiations and the potential for the command line tool to initiate step 9 before the application server has completed step 8, are there other security issues to be concerned with?

What are the ramifications of Aasimar PCs being Outsider (Native)?

I’m playing an Aasimar. They are the type Outsider (Native).

I wanted to find out what impact that has on the game. So I looked up outsiders:

https://www.d20pfsrd.com/bestiary/monster-listings/outsiders/

and I saw this:

Proficient with all simple and martial weapons and any weapons mentioned in its entry.

Skill points equal to 6 + Int modifier (minimum 1) per Hit Die. The following are class skills for outsiders: Bluff, Craft, Knowledge (planes), Perception, Sense Motive, and Stealth. Due to their varied nature, outsiders also receive 4 additional class skills determined by the creature’s theme.

And a few other cool things.

I’m assuming these don’t apply to Aasimar PC’s. But my question remains unanswered: what are the ramifications of being a PC that is of the type Outsider (Native)?

Install a PFX/SSL certificate downloaded from the server on Android/iOS device in a React Native app?

I am building a React Native application that downloads an SSL certificate file or a PFX from the server or a remote file storage. After getting this file, I want to install this certificate onto the device so that only my app can access it. I want to use this certificate to facilitate secure API calls to another server that talks HTTPS. I am assuming that I should use the Keychain on iOS and Keystore on Android for storing the certificate but I am not sure if it enables me to store a PFX. And after storing it, how do I use it for the API calls that I make subsequently?