I have a mobile application that accesses ASP WebAPI in the background.
I implemented token authentication (using the Taiseer guide ).
However, there is one concept that I cannot understand: CleintId and ClientSecret .
From what I understand, the client’s secret (along with the client identifier) is intended to block access to the endpoint of my API, which creates tokens. Thus, the endpoint is protected from malicious users trying to push the API and try to get some information by calling it with various inputs.
Meaning, only clients that keep a secret can trigger an authentic stream. And in my case, I have only one client, which is a mobile application, and the secret is kept in a safe place (KeyChain for iOs). But I read that these key chains can be easily dumped and analyzed in secret.
So, I came to the conclusion that I can get rid of all the secret logic of the client, basically leaving ValidateClientAuthentication () empty:
public async override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) { context.Validated(); return; }
And this dose does not seem to me to be a security hole, but simply a thin layer in the stream that is now gone. Because, again, the client’s secret can be easily detected by any attacker who has a mobile device with the application installed, and as soon as he receives it, this level of security is useless.
Are these assumptions wrong?
Can I leave the ValidateClientAuthentication () method empty?