Difference between Oauth in frontend and backend

Question

I can implement Oauth in React-frontend(https://www.npmjs.com/package/react-google-login, input taken is only clientID) as well as SpringBootSecurity-backend(https://github.com/spring-guides/tut-spring-boot-oauth2, input taken is clientID as well as clientSecret). What is the difference between these two ways? More specifically how is the presence and absence of clientSecret affecting these two ways.

Answer 1

Without a client secret, the React frontend (perhaps a SPA: Single Page App) completely relies on the redirect uri that was registered with the auth server to provide some semblance of security. This uri was previously registered with the auth server. However, it is not as secure since the malicious app/user can tap into the communication on the redirect uri. Mobile apps suffer as well in this circumstance. And the client id is available just by inspecting the source in a browser. Therefore the malicious app has all the information to mount an attack and access the token. This is known as OAUTH "implicit" grant type flow. And it leads to token leakage or token replay.

To circumvent this issue, PKCE (Proof Key for Code Exchange) comes into the picture. Details here. Provides information on the reason for its existence in terms of shortcomings of the implicit flow that you document in your question.

The PKCE RFC here also details attack scenarios.

There is also this answer that answers very well on this aspect on this very site.