Hi,
Got a little confusion regarding authentication, mainly dealing with
how a backend server can prevent spoofing attacks from client apps
created by "evil" developers.
Assuming signed fetched request is used,
1. Does shindig send out the viewerid to the backend server and let it
know which user is trying to access the data?
If yes, how can the server retrieve this data?
If no, then is it supposed to be the job of the client app to send it,
and in that case, how can the server be sure the client is not trying to
spoof as other users when accessing the server?
2. Would it be possible for the backend server to only allowing access
of its data from only "authorized" client apps? Example would be that
it only wants to allow data access from the specific client apps that
they built, but no others. Is there a way for the backend server to
authenticate which particular app is currently trying to get access?
Assuming OAuth is used,
3. How can the user be sure that the sign-on page is not spoofed by the
client and tricked them to enter their username/password then steal them
from him/her?
Thanks. Any pointers or documentation would be greatly appreciated.
Sincerely,
Anthony
