Reputation: 145
How to Secure Oauth 2.0 Client ID and Client Secret
When an Android oauth 2.0 client application has client ID and client Secret hard-coded in it. it is very easy to decompile the application and retrieve the credentials. Then What is the use of providing these credentials to oauth server.
Upvotes: 1
Views: 1600
Answers (1)
Reputation: 54118
It is not recommended to hard-code client_id and client_secret into a native app i.e. to use what is called a "confidential client" in a mobile app scenario exactly because the client_secret cannot be kept a secret.
A native app would typically be a "public client" to the Authorization Server i.e. one that does not have a client_secret. Security would come from the fact that a unique redirect URI is registered and additional OAuth features like PKCE (https://www.rfc-editor.org/rfc/rfc7636) are applied.
For general recommendations on using OAuth 2.0 for native apps see: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-native-apps, especially the security considerations at: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-native-apps-10#section-8
Upvotes: 5
Related Questions
- How to generate client-id & client-secret in spring-boot and store in database?
- OAuth storing client id and secret in database
- Spring Security OAuth2 clientId and clientSecret
- How authorize in Spring OAuth2 by client_id and secret only?
- Security of OAuth2 Client Id and Client Secret
- How proper configure Spring Security OAuth 2.0 Client Credentials?
- How to generate Client Secret in OAuth2 Authentication using Spring
- Spring Security OAuth2 server side, how to require client_id and client_secret on all request
- OAuth2 Client Authentication Spring
- Spring security oauth2 client