OAuth - Public client



A public client is a client that has a public type.

It means that you are not the administrator of the computer whereas with a confidential (private) client you are.

A bad agent can scan your application in order to find authentication/authorization material.

With an authorization code grand, PKCE is recommended for public client


Discover More
OAuth - Implicit Grant and flow

The implicit grant is a grant type (flow) that issued directly an access token. (It does not support the issuance of refresh tokens). This grant type is called implicit, as no intermediate credentials...
Oauth - Client (App)

client is one of the 4 roles of the Oauth specification. In its most basic form, it's a web site used by a end-user. In more details, it's is a (first-party or third party service application making...
Oauth - Client Authentication

authentication method for a client in Oauth. The client MUST NOT use more than one authentication method in each request. Client authentication is used for: Enforcing the binding of refresh tokens...
Oauth - Confidential Client

Confidential client are client (app) that have a confidential type (ie private) If a client is confidential, it's not a public client such as a web server, see
Oauth - Native application

A native application is a public client installed and executed on the device used by the resource owner (ie end user). Protocol data and credentials are accessible to the resource owner. It is assumed...
Oauth - Web Browser / User-agent-based application

A user-agent-based application is a public client in which the client code (generally javascript) is downloaded from a web server and executes within a user-agent (e.g., web browser) on the device used...
Proof Key For Code Exchange (PKCE) flow

OAuth 2.0 public clients (ie browser) utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. Proof Key for Code Exchange by OAuth Public Clients (PKCE) ...

Share this page:
Follow us:
Task Runner