In the 'User-Agent' profile, it says: "This user-agent profile does not utilize the client secret since the client executables reside on the end-user's computer or device which makes the client secret accessible and exploitable"
However, the 'Native Apps' profile does not include such verbiage and in fact specifically requires the use of the client secret. Native apps' executables also reside on the end-user's computer or device, making the client secret just as accessible and exploitable, so why the difference? Specifically, as a native app developer, there is no good (secure) way to distribute the client secret without it being compromised. Any open-source application would have even more problems keeping their secret secure, but even complied apps are easily exploitable. in this scenario, there is no single, secure repository to keep the client secret safe, so I would expect that the requirement of the client secret for native apps be removed and made conformant with the user-agent profile. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
