0

This question relates to this post I made on StackOverflow recently, which I'll recap here briefly.

I have a desktop app that I would like to authenticate through a website, using the process outlined below:

  1. I click a "Login" button on my Qt C++ desktop app, which (using TLS) establishes a connection with the authentication server (likely with a POST request to an endpoint of my Firebase site), which sends back a one-time sign-in token.
  2. The desktop app then opens the web browser and navigates the user to an authentication URL, with the sign-in token from step 1 encoded in the URL as a GET request.
  3. User performs sign in on this webpage.
  4. Desktop app is continuously pinging an API endpoint checking to see if a user has authenticated with it's sign-in token. Once sign in is successful for the queried sign-in token, API will return user ID token to desktop app, which the desktop app can then use to access privileged information.

I was just wondering whether there are any security concerns associated with this process. Here are some that I realised, and have hypothetical solutions for:

Issue: The sign-in token from step 1 could be captured by malicious software on a user's computer (as it's encoded in plaintext in the URL that the user visits). The malicious software could then directly ping my API endpoint with the sign-in token, waiting to capture the user ID that API will send back once the user signs in on the web page.
Planned Solution: The only defence that I can think of for this is obscurity of the API endpoint, i.e. when the desktop app accesses API endpoints, it will always do so over TLS, so that something like WireShark can't be used to simply access the API URLs and/or data that is being transferred.

Are these solutions adequate for the potential security issues I've outlined above? Are there any other potential security concerns in this approach to authentication? In what ways can I change/rework my authentication process in order to minimise/mitigate security issues?

Also, am I reinventing the wheel here by attempting to implement this authentication manually? Are there any premade solutions for this type of authentication that offer better reliability and security?

skillz21
  • 103
  • 3

1 Answers1

3

Rule #1: don't roll your own.

It sounds like you are inventing your own version of the SAML or OIDC federated login protocols. I would suggest that you look into those and see if they fit rather than inventing your own and working through the design issues one by one.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • Thanks for the suggestions. I did have a look around for tutorials or guides for what I'm trying to achieve, but I wasn't able to find any. Looking at the two protocols you mentioned, the impression I'm getting is that they are typically used by larger scale enterprise products (hence, not very many tutorials/guides are available.) I think I'm going to have to simplify the process by ditching the idea of web-based sign-in altogether, since I don't think I have the knowledge/experience to integrate a pre-existing solution nor roll my own secure solution. – skillz21 Apr 24 '22 at 00:50