We have also seen these referred to as non-confidential user-agents
Major Security Threat #A major security threat is a malicious application impersonating an OAuth Public Client application by using the same application URL to steal the Authorization Code and exchange it for the Access Token, Refresh Token or Identity Token.
- during distribution of the application
- over API calls
- Native Applications Working Group was created to mitigate these threats but there have been any solutions proposed.
- Proof Key for Code Exchange by OAuth Public Clients - secures the transaction between the application and the OAuth Authorization Server but does not deal with "during distribution of the application"
- Claimed Https Scheme URI Redirection - does not deal with "during distribution of the application"
- Private-Use URI Scheme Redirection - does not deal with "during distribution of the application"
- Authorization Cross Domain Code 1.0 - Authorization Cross Domain Code 1.0 is a profile of the OpenID Connect Core
More Information#There might be more information for this subject on one of the following:
- Access Token
- Best Practices OpenID Connect
- Claimed Https Scheme URI Redirection
- Client Authentication Methods
- Client Secret
- Custom URI scheme
- Grant Types
- Implicit Flow
- Implicit Grant
- Native application
- Non-confidential user-agents
- OAuth 2.0 Client Registration
- OAuth 2.0 Client Types
- OAuth 2.0 Profiles
- OAuth 2.0 for Native Apps
- OAuth Client
- Proof Key for Code Exchange by OAuth Public Clients
- Web Blog_blogentry_150617_1
- [#1] - The OAuth 2.0 Authorization Framework-Client Types - based on information obtained 2015-01-15