I have a REST API that a Desktop Application needs to access. I am using an OpenID Connect auth code flow to accomplish this.
The desktop app establishes an unauthenticated session with the REST
API server. The REST API server then generates a state and nonce for
building an Auth Code request URI, it then sends the Auth Code
request URI and sessionID in the response to the desktop app.
The Desktop app then opens the the URI in a web browser, and the
user authenticates with the IDP.
The auth code is returned to the app which it passes back to the
REST API server using the sessionID that only the desktop app knows,
and then the API server exchanges the auth code for an id_token and
verifies that the exchanged token nonce matches the nonce it
originally passed in the initial request ensuring that it belongs to
After confirming it then passes some credentials to the client.
This process prevents the code from being misused if it’s intercepted and it ensures that the token is only granted to a person who has knowledge of the sessionID (which is reasonably only the desktop app.)
While these protections prevent token exchange snooping. I do not see how to mitigate the threat of a malicious 3rd party app generating an unauthorized Auth Code request and manipulating valid auth sessions with the IDP to trick the user into using the malicious Auth Code request.
A malicious app could generate a legitimate Auth Code URI request and then inject it during the browser redirect to the IDP and an unsuspecting user would be none the wiser that they are now authorizing a different application.
Is it even possible to prevent this from happening outside of ensuring a malicious app isn’t on a device?