OAuth 2.0 Clients¶
The OAuth 2.0 specification defines two types of clients based on their ability to maintain the confidentiality of client credentials as below.
A Confidential client is capable of maintaining the confidentiality of its credentials provided by an authorization server. For example a web application where only the administrator can get access to the server and see the client credentials would be a confidential client.
With respect to above two client types there are applications invoking OAuth 2.0 APIs, that can be either confidential or public. These application profiles are as below.
Web applications run on a web server and they typically consists of both a browser part and a server part. Thus they can maintain the confidentiality of client credentials as well as any access token issued to the client as they can be stored on the web server, such that they are not exposed to or accessible by the user.
The diagram below illustrates a confidential client web application. Here the user interacts with the browser which is communicating with the client. The client has a separate secure communication channel with the authorization server and the resource server. Thus, the user’s browser never makes a request directly to the Authorization server, everything goes through the client first.
Typically, the authorization code grant type is used with these clients.
User Agent Based Application
Typically, the implicit grant type is used with these clients.
Refer this blog post to learn more on protecting SPAs in accessing OAuth 2.0 secured APIs.
A native application is a public client installed and executed on the device used by the user. Typically, mobile applications and desktop applications fall in this category. Here, protocol data and credentials are accessible to the user. It is assumed that any client authentication credentials included in the application can be extracted. At a minimum, credentials are protected from hostile servers with which the application may interact, and on some platforms, these credential might be protected from other applications residing on the same device.
It is usually recommended to take the advantage of PKCE extension with native clients to mitigate code interception attacks when using authorization code grant type to access secured services.Top