wazzaday
Reputation: 9664
OAuth 2.0 how to encrypt client id and secret
When requesting access to an application via OAuth 2.0 you need certain credentials. In the case of google the request URL which sends the user to a page to allow access contains the client ID and Secret. Does this not leave the data open for anyone to grab request access to apps on my applications behalf?
Also, is OAuth only possible through a browser or can it be achieved completely server side?
I'm pretty new to this so apologies if I'm missing something obvious.
Upvotes: 2
Views: 1990
Answers (1)
Vladimír Schäfer
Reputation: 15533
Your calls to the OAuth 2.0 authorization server which contain your client ID and client secret MUST be made over an encrypted channel (= using SSL/TLS). The standard says (chapter 2.3.1):
The authorization server MUST require the use of TLS as described in Section 1.6 when sending requests using password authentication.
Upvotes: 2
Related Questions
- client secret in OAuth 2.0
- OAuth2 Password Grant Type with Client_Id & Client_Secret
- Making client secret configurable
- OAuth 2.0 Client ID and Secret Java implementation
- How authorize in Spring OAuth2 by client_id and secret only?
- How to more secure OAuth2 Request?
- How to Secure Oauth 2.0 Client ID and Client Secret
- Understanding the need of client id, client secret in oauth 2.0
- How to keep the oAuth 2.0 Client Secret a secret?
- Storing OAuth2 client_id and client_secret securely in a client side app