!!! Overview[1]
A [{$pagename}] is an application that is not capable of keeping a [Client Secret] [confidential|Confidentiality].


[{$pagename}] is __NOT__ a [OAuth Confidential Client]

For [Example], a [Mobile Device] [Native application] or a desktop application that has the [OAuth Client] password embedded inside it. Most [Single-Page Applications] ([SPAs]) and [IoT] devices.

We have also seen these referred to as [non-confidential user-agents] 

Such an application could get cracked, and this could reveal the password. The same is true for a JavaScript application running in the users browser. The user could use a JavaScript debugger to look into the application, and see the [Client Secret].

!! Major Security Threat 
A major security threat is a malicious [application] impersonating an [{$pagename}] application by using the same application URL to steal the [Authorization Code] and exchange it for the [Access Token], [Refresh Token] or [Identity Token]. 

It is near impossible to secure the OAuth [Client Secret] on a [native application] for both:
* during distribution of the application
* over API calls

!! Recommendations
Follow [OAuth 2.0 Security Considerations]

! [Native applications] should use the appropriate [AppAuth] [SDK]
The [AppAuth] [SDKs] are available for the major [Native applications] [Operating Systems] as well as a [JavaScript] [SDK]

! [Single-Page Applications] ([SPAs])
[PKCE] using the [Authorization Code Grant] as [Proof Key for Code Exchange by OAuth Public Clients] 


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [The OAuth 2.0 Authorization Framework-Client Types|https://tools.ietf.org/html/rfc6749#section-2.1/|target='_blank'] - based on information obtained 2015-01-15 
* [#2] - [OAuth 2.0 for Browser-Based Apps|https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-04|target='_blank'] - based on information obtained 2019-12-23