we use the Authentication Code Flow with PKCE to authenticate the users agains our native app (WPA) and some web-apis. Is there an aditional method to verify the the identity of this native app in our web-apis or is the Authentication Code Flow with PKCE secure enough for this case?
Thanks in advance
question from:https://stackoverflow.com/questions/65840846/is-there-a-secure-way-to-100-verify-the-identity-of-a-desktop-application-again
As far as I know, there is no way to authenticate the app itself. If the request starts from a device in my network, I can capture the request along with the access token. Then once I have the access token, I can make calls from an app that I wrote, and there won't be a way for your back-end to know otherwise.
You can only verify the user since the identity provider has issued a signed token for them after they have authenticated. In your back-end you need to check the user's access to the resources they are trying to access.
