OAuth Public Client


A OAuth Public Client is an application that is not capable of keeping a Client Secret confidential.

For Example, a mobile phone application or a desktop application that has the OAuth Client password embedded inside it. Most Single-Page Applications (SPAs) and IoT devices.

We have also seen these referred to as non-confidential user-agents

Such an application could get cracked, and this could reveal the password. The same is true for a JavaScript application running in the users browser. The user could use a JavaScript debugger to look into the application, and see the Client Secret.

Major Security Threat #

A major security threat is a malicious application impersonating an OAuth Public Client application by using the same application URL to steal the Authorization Code and exchange it for the Access Token, Refresh Token or Identity Token.

It is near impossible to secure the OAuth Client Secret on a native application for both:

  • during distribution of the application
  • over API calls

Possible Solutions#

More Information#

There might be more information for this subject on one of the following: