stackoom
  简体   繁体   中英

Client Credentials Flow or Authorization Code Flow (with PCKE) for a trusted desktop client

 原文  2020-06-12 22:16:50       c#/ authentication/ oauth-2.0/ identityserver4/ openid-connect

Question

I'm developing the authentication/authorization architecture for several APIs.

I'm using IdentityServer4 as a Security Token Service (STS).

From what I've read from "Dominick Baier" (one of the persons that built IdentitySever4), there are only two types of Flows that should be used :

  • Client Credentials Flow. (machine-to-machine)
  • Authorization Code Flow + PCKE. (for iteractive users).

I have several C# Web API's that will communicate with each (Machine-To-Machine), and I will use the Client Credentials Flow.

But then there are some WPF Desktop Applications, that will need to access some APIs, and don't have a user. Which flow should be used?

I've read that: Desktop/Native & Mobile Applications should use Authorization with Authorization Code Flow (with Public Client and PKCE), since they are hosted on the Client side, and the Client/Secret is can be leaked (maybe on a Desktop application we can Encrypt the Secret? But then will need to manage a way how to store the secret that decrypts that right?)

Then I've read: "Anytime you have a system that isn't concerned with the end-user identity (and just needs to authenticate the system), use the OAuth2 Client Credential Grant."

For now, this is my case, I'm not concerned with the end-user identity (but maybe in a near future I will).

So since the above points conflict with each other: - Which flow should I use? - Can I have a Desktop Client using Clients Credential Flow and be safe?

Also, I've read a bit about Mutual TLS, If I use that, does this change which flow should I use?

2 answers

solution1
 2 ACCPTED  2020-06-13 06:40:31

You can't trust a client because you can't be sure a request originates from the client. And another problem is that clients are not good in keeping secrets. But there are different types of clients.

Clients that run on servers often having a single task, like synchronizing data which is user independent, are suitable to use the client credentials flow. To some degree they can keep a secret (running on a server).

You can use unique credentials for each instance but that doesn't make it safer. It helps you to identify the client, but doesn't add security. Security is about monitoring behaviour and detecting anomalies. Or perhaps narrowing access by filtering on ip address.

But you are not limited to use the two flows you've mentioned. Being a token provider, you can extend IdentityServer with custom flows using extension grants .

Without user the client credentials are somewhat similar to the resource owner password credentials (ROPC) flow (another option that is no longer covered in the grant type documentation but still exists, see the old docs ). Neither are really safe in the sense that both can be automated. The user factor can be eliminated since user interaction isn't required for these flows.

But I wonder why your app has no user, running on a user machine. Because ideally you have a client (without secret) where the user logs in and let the client contact the api ( delegation ).

So there are two things: do you need to identify the client? If not you could suffice with an ApiKey, like eg Sendgrid. And you can never trust a client. Security has to be server side.

So basically it doesn't really matter, there is nothing you can do to make it much safer client side. The only thing you can do is add the requirement of user interaction. So perhaps now you don't need it, but it will increase security and allows you to delegate api access to the client.

solution2
 0  2020-06-14 09:53:40

To add to Ruard's very good answer and point you to some links:

For your WPF desktop applications the standard technique is to open the system browser for logins and then receive the response in your app. This is a little tricky but the below IdentityModel code samples show how:

RESOURCES OF MINE

The user experience is a little tricky though, so to understand the behaviour you may want to have a look at my visual blog posts.

The blog posts are accompanied by a couple of code samples you can easily run from your local PC.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Swashbuckle OAuth2 Authorization with Client Credentials Flow Access denied for application with client credentials flow Hybrid Flow Client Credentials OAuth 2.0 Best practice for persisting tokens using Client Credentials flow AAD client-credentials flow request scope for web api Keep getting session out with OIDC JS client and Identity server 4 Authorization flow with PKCE flow on Azure app services Issue in Self Signed Client Certificate while processing an Identity Server Client Credentials Flow Client certificate with Hybrid Authentication Flow how to signin using oauth2 authorization Code Grant flow in UWP Desktop app Securing Back end services in Azure API Management using OAuth2 Client Credentials flow
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM