What's the advantage of the client secret in OAuth2?

666    Asked by Aashishchaursiya in Salesforce , Asked on Aug 2, 2021

In the OAuth 2.0 "Web Server" flow you are required to have a client secret, whereas in other flows you aren't.

I can't find an explicit statement as to why you'd need to have a client secret. Is there a benefit that you don't need to re-authenticate the user?

Answered by Ankit Chauhan

You can use OAuth2, for client secret mechanism as it is a means of authorizing a client, the software requesting an access token. You can also think of Oauth2 as a secret passphrase that proves to the authenticated user that the client app is authorized to make a request on the behalf of the users.

An app requesting an access token has to know the client secret in order to gain the token. This prevents malicious applications that have not been authorized from using the tokens from ever receiving a valid access token. It doesn't state anything about authenticating a user, but it's instead for authorizing an app to request access tokens.

Don't confuse authorization with authentication. Users are authenticated, while applications are authorized. The client secret protects a service from giving out multiple tokens to rogue apps. This client secret should be protected at all costs and if the secret is settled, a new one must be generated and all authorized applications will have to be updated with the new client secret.

Client secrets aren't utilized in other types of flows, because of their sensitive nature. Such as, you must not utilize Client secret in JavaScript or desktop applications, both of which can be decompiled, examined, source code viewed, debugged, etc. Servers are theoretically safe from prying, so the client secret is less vulnerable than it is on a desktop application etc.



Your Answer

Interviews

Parent Categories