I am currently in the process of developing a desktop application that integrates with Spotify's oauth api using the implicit grant flow as outlined here:
My plan is to incorporate an "Authenticate" button, which when clicked will open the user's default browser for them to login and authorize the connection with Spotify. Subsequently, they will be redirected to a specific URL.
The redirect URL I intend to use is 127.0.0.1:58212 or another port on the loopback device.
However, my main query pertains to whether it is imperative to utilize HTTPS for this operation?
After careful consideration, I am inclined towards implementing HTTPS for two primary reasons; firstly, to ensure the security of the access token, as other users on the system may intercept the message being sent. Secondly, due to the potential threat of ports being compromised while the user logs in.
Therefore, securing the communication through SSL encryption seems necessary, along with verifying the authenticity of the communication link.
In regards to generating certificates for each instance of the application mandatorily, and informing the computer to trust these certificates for the duration of the application's lifecycle, remains a concern for me.
An alternative approach could involve creating the certificate during app installation, followed by steps prompting the system to recognize and accept the newly generated certificate.
I seek confirmation on whether my current thought process aligns with the best practices or if there are better alternatives worth exploring?
My development stack comprises electron and express in JavaScript for crafting the application.
Your insights and guidance on this matter would be greatly appreciated.