Verify Mobile App with OpenID Connect

TL;DR

Yes, your backend can verify a mobile client using OpenID Connect (OIDC). This guide explains how to do it securely. We’ll focus on checking the ID Token and ensuring proper configuration.

Steps

1. Understand the Flow
• The mobile app redirects the user to your authorization server (e.g., Auth0, Google Identity).
• The user authenticates (username/password, MFA etc.).
• The authorization server redirects back to the mobile app with an Authorization Code.
• The mobile app exchanges the code for an ID Token and potentially an Access Token.
• The mobile app sends the ID Token to your backend for verification.
2. Configure Your OIDC Provider
• Register your mobile app with your chosen provider (e.g., Auth0).
• Set a valid redirect URI – this is crucial! It must match the URL your mobile app uses after authentication.
• Define allowed scopes (e.g., ‘openid’, ‘profile’, ’email’). ‘openid’ is essential for OIDC.
• Note down the Issuer URI – you’ll need this to verify the ID Token.
• Download or obtain the JSON Web Key Set (JWKS) from your provider. This contains the public keys used to verify the token’s signature.
3. Backend Verification: Check the Signature

Your backend needs to verify that the ID Token is genuinely from your OIDC provider and hasn’t been tampered with.

• Install a suitable library for handling JWTs (JSON Web Tokens). Examples include python-jose in Python, or libraries specific to your backend language.
• Fetch the JWKS from your provider’s endpoint. Cache this as it doesn’t change often.

  # Example using requests library in Python
  import requests
  
  jwks_url = "https://your-provider.com/.well-known/jwks.json"
  response = requests.get(jwks_url)
  response.raise_for_status()
  jwks = response.json()

• Decode and Verify the ID Token.

  # Example using python-jose in Python
  from jose import jwk, jwt
  from jose.utils import base64url_decode
  
  key_dict = jwk.get_key(jwks, key_id=token['kid'])
  public_key = key_dict['kty']
  
  decoded_token = jwt.decode(
      token,
      options={
          "verify_signature": True,
          "verify_aud": "your-client-id", # Your client ID from the OIDC provider
          "issuer": "https://your-provider.com",  # Your Issuer URI
      },
      key=public_key
  )

• Check the Claims: After successful decoding, verify important claims:
  • iss (Issuer): Must match your expected Issuer URI.
  • aud (Audience): Must include your client ID.
  • exp (Expiration Time): Ensure the token hasn’t expired.
  • sub (Subject): This is a unique identifier for the user.
4. Secure Storage of User Information

Once verified, store the sub claim securely in your backend to identify the user. Do not store sensitive information directly in the ID Token.

5. Consider PKCE (Proof Key for Code Exchange)

For native mobile apps, always use PKCE to prevent authorization code interception attacks. Your OIDC provider should support this.