We have also seen these referred to as non-confidential user-agents
Major Security Threat #A major security threat is a malicious application impersonating an OAuth Public Client application by using the same application URL to steal the Authorization Code and exchange it for the Access Token, Refresh Token or Identity Token.
- during distribution of the application
- over API calls
- Native Applications Working Group was created to mitigate these threats but there have been any solutions proposed.
- Proof Key for Code Exchange by OAuth Public Clients - secures the transaction between the application and the OAuth Authorization Server but does not deal with "during distribution of the application"
- App-claimed HTTPS URI Redirection - does not deal with "during distribution of the application"
- App-declared Custom URI Scheme Redirection - does not deal with "during distribution of the application"
- Authorization Cross Domain Code 1.0 - Authorization Cross Domain Code 1.0 is a profile of the OpenID Connect Core
More Information#There might be more information for this subject on one of the following:
- Implicit Flow
- Non-confidential user-agents
- OAuth 2.0 Client Types
- OAuth 2.0 Profiles
- OAuth Client
- Proof Key for Code Exchange by OAuth Public Clients
- [#1] - The OAuth 2.0 Authorization Framework-Client Types - based on information obtained 2015-01-15