Implementing mobile native OIDC clients

Owned by Kai Bjørnstad (Deactivated)
Nov 17, 2020
2 min read

To work with OIDC on mobile devices we recommend to use SDK from AppAuth (https://appauth.io/) project.

AppAuth is a client SDK for native apps to authenticate and authorize end-users using OAuth 2.0 (https://tools.ietf.org/html/rfc6749) and OpenID Connect (https://openid.net/specs/openid-connect-core-1_0.html).

Follow https://github.com/openid/AppAuth-Android or https://github.com/openid/AppAuth-iOS to find documentation and usage examples.

Before access to test environments are given, please contact or sales representatives to establish the services needed: Customer support

Configuring OIDC clients

As part of the registration process, one or more client ids will be configured/set up (see Client authentication). However note that mobile, Single Page Apps (SPA) and other Native applications (installed on end-user devices) can not be trusted with secrets.

For example using a client secret (or private key) to authenticate a mobile native app would mean distributing the secret to all installations (all devices). Such a move would in practise render the secret exposed and at risk for reverse engineering and hence useless. As a result, these types of clients need to be "public", having no secrets. This needs to be reflected in what kind of access tokens the clients may retrieve.

Unfortunately, local installation opens up for new threats. Public clients are susceptible to the authorization code interception attack (as the token endpoint is not protected by a secret). This may occure when using end-user authentication with the recommended Authorization Code Flow.

In this attack, the attacker intercepts the authorization code returned from the authorization endpoint within a communication path not protected by Transport Layer Security (TLS), such as inter-application communication within the client's operating system. This makes it possible for an attacker to retrieve the Access Token meant for the valid client.

The RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE) specification reduces security risks for native apps, as embedded secrets aren’t required in source code, which limits exposure to reverse engineering.

Hence all native mobile or Single Page Apps (SPA)clients will be configured without client secrets but with PKCE.