Auth0 Home Blog Docs

Securing Electron Applications with OpenID Connect and OAuth 2.0

Learn how to secure your Electron applications using standards like OpenID Connect and OAuth 2.0.

Brought to you by @bruno.krebs :man_technologist:t5:

Read on :computer:

What do you think? It was easy to secure Electron with OAuth 2.0 and OpenID Connect? Leave a comment!

Edit: This article was updated to Electron v5 and comments moved to community.

Thanks for the article!
Given electron lets you execute custom code on the browser windows, don’t the electron app developers have the power to capture the auth0 credentials?
Shouldn’t the oauth flow be happening on the browser itself?
Thanks!

Hey there! Yes, it is technically possible for the developer to capture traffic there; that said, that is true for any process running with sufficient privileges on the desktop regardless of whether they are in focus (whereas if you’d be working on an app on iOS or Android, every app would have exclusive focus at any giving time hence outsourcing auth to the system browser would be an effective way of preventing keylogging).
Use of the system browser on the desktop is problematic, mostly for user experience limitations with today’s browser support on desktop operating systems. In fact, most desktop apps (slack, office, visual studio, visual studio code, even the google drive app) nowadays use some form of embedded browser. Desktop clients using the system browser are rare (github is the only example I know of, really) and do have usability challenges.
There is good progress occurring in the modern operating systems, see for example the new features in Apple beta OS making it possible in the desktop to invoke the system browser in the same style. But for the time being, if you want to target current OSes the embedded browser is what most native clients do on desktops.

For more details, please see https://auth0.com/docs/videos/learn-identity/05-desktop-and-mobile-apps#wistia_dq3c4pz9lb?time=620

Thanks for the quick reply.
Actually slack, even though it uses the webview for displaying the actual application, when you want to add a new workspace, you get redirected to the browser in order to perform authentication. That’s also true for Talkdesk (https://support.talkdesk.com/hc/en-us/articles/115005728186-Logging-in-to-Talkdesk-Callbar).

My rationale is only that if I was an IdP, I wouldn’t want products with embedded browsers to be using SSO with my service, as I would be putting at risk my own users (although I don’t think there would be a way for me to prevent it)

That is a legitimate concern, however as of today the usability issues I mentioned are hard- and the use of a system browser doesn’t fully assuage those concerns: for example, unless you use the secure desktop API in windows there’s always the possibility of the app to have a global keylogger that will intercept the message pump no matter what app is in focus. The main reason for tolerating the usability issues of the system browser on desktop is achieving SSO rather than sheer security (whereas in mobile platforms the security advantages are more substantial)

2 Likes

I’m struggling to find a method to pull app_metadata or user_metadata. How would you recommend doing that in your electron example? Thanks!