- Newest
- Most votes
- Most comments
The client secret is part of the oauth standard. You are correct in your assumptions.
https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/
Quoting:
"If the developer is creating a “public” app (a mobile or single-page app), then you should not issue a client_secret to the app at all. This is the only way to ensure the developer won’t accidentally include it in their application. If it doesn’t exist, it can’t be leaked!"
Also:
"The client_secret is a secret known only to the application and the authorization server. It must be sufficiently random to not be guessable, which means you should avoid using common UUID libraries which often take into account the timestamp or MAC address of the server generating it. A great way to generate a secure secret is to use a cryptographically-secure library to generate a 256-bit value and converting it to a hexadecimal representation."
Yes, I mean this is part of the standard and it totally depends on the ability to secure the client secret.
Well, it makes sense then.... But I still don't understand the point or enforcing this, unless you just want to comply with the OATH2 standard, because as far as I can see, there's no downside in leaving a client secret in an open app. The app won't be less secure if the client secret leaks, it will be just the same.
Relevant content
- Accepted Answerasked 2 years ago
- asked 7 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago