jspωiki
OAuth Public Client

Overview[1]#

A OAuth Public Client is an application that is not capable of keeping a Client Secret confidential.

OAuth Public Client is NOT a OAuth Confidential Client

For Example, a Mobile Device Native application or a desktop application that has the OAuth Client password embedded inside it. Most Single-Page Applications (SPAs) and IoT devices.

We have also seen these referred to as non-confidential user-agents

Such an application could get cracked, and this could reveal the password. The same is true for a JavaScript application running in the users browser. The user could use a JavaScript debugger to look into the application, and see the Client Secret.

Major Security Threat #

A major security threat is a malicious application impersonating an OAuth Public Client application by using the same application URL to steal the Authorization Code and exchange it for the Access Token, Refresh Token or Identity Token.

It is near impossible to secure the OAuth Client Secret on a native application for both:

  • during distribution of the application
  • over API calls

Recommendations#

Follow OAuth 2.0 Security Considerations

Native applications should use the appropriate AppAuth SDK#

The AppAuth SDKs are available for the major Native applications Operating Systems as well as a JavaScript SDK

Single-Page Applications (SPAs)#

PKCE using the Authorization Code Grant as Proof Key for Code Exchange by OAuth Public Clients

More Information#

There might be more information for this subject on one of the following: