OAuth2 with Desktop Application Security
Edit: Verifying that a request came from your desktop application and not a clone of it to your server is not really possible unless you control the locations where it is installed, but for a user program you don't. You can place some meagre barriers, but you can't provide any guarantees. It looks like iOS/Android are moving on this front, I imagine the only viable implementation would be for the OS to send a verified credential on your behalf, that is OS level support, not application level support.
As for general OAuth 2.0 authentication methods...
If we go through the motions here, we can analyse each method of authorisation and take a look at the risk of this. https://developers.google.com/identity/protocols/OAuth2
- https://developers.google.com/identity/protocols/OAuth2WebServer (I think you're in this camp, but there's no
client_secret
here)- Only risk of DOS against your client credentials. The responses are only ever acknowledged and forwarded to the specified redirect Uri, so requests can be made on your behalf for tokens, but only your server will ever receive the tokens (assuming the user agent is decent), you should deal with the case where you receive unknown token responses.
https://developers.google.com/identity/protocols/OAuth2InstalledApp
Risk of User installing a malicious app. When you lose the
client_id
,client_secret
and theredirectUri
(you have no way to keep these private against debugging of the device), then anybody will be able to make apps on your behalf. This is an unfortunate problem for mobile apps. The only defence is the User consent screen for now, that is, hopefully the User notices by looking at the consent screen that they have been duped into installing a malicious app from the store instead of your legitimate app.I'd love to see some more work on this front, perhaps the App Stores could hold some credentials on your behalf and then confirm that it is your app requesting, I imagine that would involve some hash checking etc.
I'd be even happier to be corrected on this one, but I see nothing preventing the above problem :P
- https://developers.google.com/identity/protocols/OAuth2UserAgent
- Same as 1.
- https://developers.google.com/identity/protocols/OAuth2ForDevices
- Same as 2.