0

I'm using Identity Server 4 to provide a token access to an API. I'm setting up my client code; which looks something like this:

var disco = await _httpClient.GetDiscoveryDocumentAsync(new DiscoveryDocumentRequest
{
    Address = "https://indentityserveraddress.com",
    Policy =
    {
        ValidateIssuerName = false
    }
});

var response = await _httpClient.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
{
    Address = disco.TokenEndpoint,

    ClientId = "client",
    ClientSecret = "secret",
    Scope = "api1"
});

If this were a web application, I could simply store the secret in the web.config, read it from there and supply it to Identity Server. However, this call is from a UWP client.

My question is: what strategies are there when using a desktop client to secure this secret? If it's just in plain text the assembly could easily be put through DotPeek or ILDasm or something similar and storing it in a config client on the client makes that problem even worse. I can't store it on the server, because I would need to be authenticated in order to access it (catch-22).

  • What consequences will there be if someone abuses your tokens? Do you consider security through obscurity secure? – keithyip Dec 16 '18 at 15:06

1 Answers1

0

May not be a complete solution, but following are my suggestions.

  1. Compile code to native binaries - I feel this makes it difficult to get the secret(not impossible) How to compile Apps to .NET Native

  2. Use some Obfuscators(most tools out there are paid) - Some list of Obfuscator tools

  3. You can encrypt the secret that's placed in the assembly, then call an api to decrpyt the secret at runtime (You may need to first validate the incoming requests based on clientID, app uniqueID, deviceID etc and then perform decryption logic), the decryption should not be done on all requests as it may degrade performance, just do it once and store the decrypted secret somewhere(may be in memory or redis cache) and use it further until app closes. The calls to the api should be with HTTPS else fiddler like tools can be used to know the secret.

There are lots of things to be considered for total security, so consider my suggestions as a small intro.

Jeshwel
  • 141
  • 6