azure - Is there a secure way to 100% verify the identity of a desktop application against a web-api?

Question

we use the Authentication Code Flow with PKCE to authenticate the users agains our native app (WPA) and some web-apis. Is there an aditional method to verify the the identity of this native app in our web-apis or is the Authentication Code Flow with PKCE secure enough for this case?

Thanks in advance

question from:https://stackoverflow.com/questions/65840846/is-there-a-secure-way-to-100-verify-the-identity-of-a-desktop-application-again

Answer 1

As far as I know, there is no way to authenticate the app itself. If the request starts from a device in my network, I can capture the request along with the access token. Then once I have the access token, I can make calls from an app that I wrote, and there won't be a way for your back-end to know otherwise.

You can only verify the user since the identity provider has issued a signed token for them after they have authenticated. In your back-end you need to check the user's access to the resources they are trying to access.