What's the purpose of the client secret in OAuth2?

security api authentication oauth oauth-2.0
14,256

Solution 1

Client Secret was used in OAuth 1.0 to sign the request, so it was required. Some OAuth2 servers (such as Google Web Server API) required the client secret to be sent to receive the access token (either from request token or refresh token).

OAuth 2.0 has reduced the role of the client secret significantly, but it is still passed along for the servers that use it.

Solution 2

This discussion provides an excellent explanation of why the client secret is much more important for server-side apps than client-side apps. An excerpt:

Web apps [server-side apps] use client secrets because they represent huge attack vectors. Let us say that someone poisons a DNS entry and sets up a rogue app "lookalike", the juxtapose might not be noticed for months, with this intermediary sucking up tons of data. Client secrets are supposed to mitigate this attack vector. For single user clients, compromise has to come one device at a time, which is horribly inefficient in comparison.

Share:
14,256
Robin
Author by

Robin

Rails developer at Devpost. http://devpost.com/niuage I love design as much as I love code.

Updated on August 02, 2022

Comments

  • Robin
    Robin almost 2 years

    I have an app that offers an API. This app is an OAuth2 provider.

    I want to access this API (read & write) with a client-side only app. I'm using JSO to make this easier.

    It works great.

    The thing is, I don't have to enter my client secret (of the application I registered in my app) anywhere. And I understand why, it would then be available to anyone.

    So, if I can access my api without the client secret, could you explain to me what is its purpose?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is OAuth and how does it secure REST API calls?
OAuth Refresh Token Best Practice
How to store access token? (Oauth 2, Auth code flow)
restful api authentication confusion with oauth2
How to manage OAuth flow in mobile application with server
How to OAuth 2.0 with Retrofit Android
Spotify API Illegal redirect_uri
Instagram API returning 400 (Bad Request)
How to start with OAuth Client Credentials to protect WebApi using OWIN Oauth?
How to accept authentication on a web API without SSL?