All geek questions in one place

Is it safe to store client_secret on a mobile device when using OAuth?

I am creating a Laravel server for authenticating users from mobile devices. and using https://github.com/lucadegasperi/oauth2-server-laravel

Users on a mobile phone will call / oauth / callback to get an access token

I plan to use the "password" as the type of grant. Therefore, in this case, the user will send the following: - username and password - client ID + SECRET

I feel that something is wrong to keep a secret on a mobile device. Is this a good practice? With reverse engineering and application, the secret can be easily discovered.

Can anyone explain best practices when using OAuth2

+5
source share
1 answer

OAuth 2.0 assumes that native applications cannot keep client credentials confidential. Below is a snippet from RFC 6749, " 9." Native apps . "

Native applications using the type of permitting code MUST do this without using client credentials, due to the inability of their own application to store confidential client credentials .

A client application located in an environment where it is difficult to store confidential client credentials is called a public client (RFC 6749, 2.1. Client types "). Public clients should not request authorization and / or token with client privacy. (But this is allowed.)

If your mobile devices are smartphones, you should not embed a client secret in your application. On the other hand, if your mobile devices are special and you think that crackers can’t practically extract the client’s secret from your application on mobile devices, using client’s privacy will increase security.

+1
source

Source: https://habr.com/ru/post/1245980/

More articles:


All Articles