Protecting public clients using an authorization algorithm

B.V. Bodak, A.Yu. Doroshenko


The paper focuses on authorization in public clients and provides a secure authorization model as an alternative to costly Microsoft Duende BFF solution. After providing a brief overview of confidential and public clients in terms of authorization, we have analyzed problems and potential attack vectors associated with the authorization process in public clients due to their inability to hold credentials securely. Confidential clients are implemented on secure servers or able to facilitate secure authentication by other means, while public clients lack this security. Our research discovered algorithms, models, and methods for secure authorization in public clients. As a part of our model, we have implemented high entropy Proof Key for Code Exchange generator in C# .NET 6.0. In addition, we have provided a solution to a problem of storing sensitive information in public clients using the Backend for Frontend concept. This concept leverages a reverse proxy pattern where a backend application acts as a proxy and handles all client requests. Having a proxy backend application significantly tightens security model for public clients, while restricting possible attack vectors. The authorization model being researched was based on Proof Key for Code Exchange and Backend for Frontend approach. During the testing phase of our research, we have confirmed that the model was not vulnerable to Cross-Site-Scripting and Auth Code Interception attacks. A sequence diagram outlining main actors and interactions among them in context of authorization has been designed. The diagram stands as the visual representation of the model that uses proposed methods and algorithms. As a result, we have managed to build an alternative to secure authorization solutions for public clients that do not rely on the client secret. We have summarized our key findings in a Blazor Web Assembly application, which is classified as public and uses the described authentication model.

Prombles in programming 2022; 3-4: 409-416



authorization; authentication; PKCE; Proof Key for Code Exchange; Identity Server; public application; OAUTH; XSS; information security


The OAuth 2.0 Authorization Framework. Microsoft Internet Engineering Task Force (IETF). Available from: html/rfc6749#section-2.1 [Accessed 1/08/2022].

Testing for OAuth Client Weaknesses. OWASP Project. Available from: Web_Application_Security_Testing/05-Authorization_Testing/05.2-Testing_for_OAuth_Client_Weaknesses [Accessed 1/08/2022].

Bansal, C., Bhargavan, K., Delignat-Lavaud, A. and Maffeis, S., 2014. Discovering concrete attacks on website authorization by formal analysis. Journal of Computer Security, 22(4), pp.601-657.

Ghasemisharif, M., Ramesh, A., Checkoway, S., Kanich, C. and Polakis, J., 2018. O Single {Sign-Off}, Where Art Thou? An Empirical Analysis of Single {Sign-On} Account Hijacking and Session Management on the Web. In 27th USENIX Security Symposium (USENIX Security 18) (pp. 1475-1492).

Lodderstedt, T., Bradley, J., Labunets, A. and Fett, D., OAuth 2.0 Security Best Current Practice (draft-ietf-oauth-security-topics-16). Inter- net Engineering Task Force (IETF). Available from: [Accessed 1/08/2022].

Proof Key for Code Exchange by OAuth Public Clients. Google Internet Engineering Task Force (IETF) Available from: https://datatracker. [Accessed 1/08/2022].

Lodderstedt, T., McGloin, M. and Hunt, P., 2013. RFC 6819: OAuth 2.0 threat model and security considerations. Internet Engineering Tast Force (IETF), pp.1-71.

App security best practices. Android Developers Documentation. Available from: practices#safe-data [Accessed 1/08/2022].

Encrypting Your App's Files. Protect the user's data in iOS by encrypting it on disk. Apple Developers Documentation. Available from: https:// [Accessed 1/08/2022].

Window.localStorage. Mozilla Development Documentation. Available from: calStorage [Accessed 1/08/2022].

Cross Site Scripting (XSS). OWASP Community. Available from: [Accessed 1/08/2022].

Using HTTP cookies. Mozilla Development Documentation. Available from: Cookies#security [Accessed 1/08/2022].

Same Site cookies. Mozilla Development Documentation. Available from: Cookie/SameSite [Accessed 1/08/2022].

BFF Security Framework. Duende Software. Available from: [Accessed 1/08/2022].

ASP.NET Core Blazor. Microsoft Documentation. Available from: [Accessed 1/08/2022].

A. Chiarelli. Building a Reverse Proxy in .NET Core. Auth0 Blog. Available from: core/ [Accessed 1/08/2022].



  • There are currently no refbacks.