CODEWITHSUNDEEP
mobileoauthoauth-2.0fosoauthserverbundle
Alex A.
Alex A.

Reputation: 2603

Mobile app and OAuth integration

We are currently working on a design for OAuth in out ecosystem. The idea, of course, that the mobile app will authenticate with OAuth server using user credentials grant type to get the token for further workflow. On the other hand, protected resource server, will validate the token info with the same OAuth server and respond accordingly.

It is all clear, but there is one concern: Got get that working, we must deliver the app with client secret compiled in the code. This open a big security hole. Is there a way to avoid it, or is it even an issues?

Thanks,

Upvotes: 0

Views: 72

Answers (1)

Takahiko Kawasaki
Takahiko Kawasaki

Reputation: 19001

From RFC 6749, 4.3.2. Access Token Request:

The authorization server MUST:

   o  require client authentication for confidential clients or for any
      client that was issued client credentials (or with other
      authentication requirements),

So, if the client type (RFC 6749, 2.1. Client Types) of your client application is public (and your client has not been issued a client secret), you don't have to include your client secret in a token request. In other words, you can get an access token without presenting a client secret to the authorization server. In this case, you can avoid embedding your client secret into your client application.

On the other hand, if the client type of your client application is confidential, the client application should not be delivered to smartphones.

How to set the client type to public or confidential depends on the implementation of the authorization server you are using. Some implementations offer an explicit toggle button to select public or confidential. Others do not offer such an explicit option and the client type of your client application is determined implicitly. For example, if you select Android Application in the configuration page provided by an authorization server, the client type will become public.

Note that, however, some authorization server implementations may always require a client secret regardless of whether the client type is public or confidential.

Upvotes: 1

Related Questions