Hi, your observation is correct. OAuth security considerations recommend not to rely on secrets for authenticating mobile apps (aka native apps) but to manage them as so-called public clients. Please take a look onto section 10 of the core spec for further details.
regards, Torsten. Karim <medkarim.esska...@gmail.com> schrieb: Hello, When using User-agent flow with OAuth2 for mobile platform, there is no way for Authorization server to authenticate the client_id of the application. So, anyone can impersonate my app by copying the client_id (and so get all access tokens on my behalf), and this is applicable to Facebook, Foursquare,... This is not managed by OAuth2 ? Or I missed something ? For Web applications (Web server flow), access token is stored on the server side, and the client is authenticated using secret key. -- Karim
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth