There is some confusion in my mind with the hybrid flow.
In this scenario, suppose we have a native desktop application that needs to authenticate a user. For such a case, we use the recommended hybrid flow.
As I understand it, we will use an embedded web browser to direct the user to the login page at the identity server. The user logs in successfully and the server redirects the web browser to the registered redirect url. The desktop application is notified of this redirect (something like an OnLoadFinished event) and parses the new url which contains some information including the authorization code. The desktop application then exchanges this authorization code for an access token/refresh token.
With this process in mind, is it not entirely possible that if a malicious user knows what the redirect url and client id is (lets pretend this user is an ex-employee), that they can create a very similar application like our desktop application to trick users into using that malicious application? Since they know both redirect url and client id, they can simulate the above process and get access/refresh tokens.
Am I correct in understanding that or is there something that I am missing?
You are absolutely correct. Just like with any other malware that a user installs on its machine/device.