I am writing a WPF desktop application. I use the Auth0 SDK to login into my Auth0 domain and obtain an access token to my API and an ID token. I do so by calling
My loginResult.AccessToken and loginResult.IdentityToken contain my tokens as I expect.
Isn’t it possible for a hacker who obtains Admin access to my computer to see these tokens stored in RAM or if persisted to the disc cache? If so, can’t he use these tokens to access my APIs?
If someone gains administrative access to your computer, then “all bets are off” as they say. You cannot stop them from accessing everything and anything on your machine, and leveraging any existing connections to other services.
The best ways to mitigate this risk is to use multi-factor authentication capabilities, and keep your token lifetime short. There’s still a risk there, but there’s only so much you can do once someone has root privileges on your machine.