Hi, we are developing an hybrid app with the latest version of Ionic that implement OAuth authentication with implicit grant flow (using identity server http://identityserver.io with oidc-client https://github.com/IdentityModel/oidc-client-js).
We have found that there is the possibility to spoof the client configuration (client_id, redirect_uri and scopes) and to use it into another third party app.
Are there any way to protect the configuration (obfuscation) or not allow third party app to use it?
Any suggestions on how to solve this?
Is “implicit grant flow” the right flow into an hybrid app?