Yeah, certainly for Mobile clients this is true. There are classes of clients
(server to server implementations notably) where clientID can be a proper
secret and be usefule for client validation.
________________________________
From: Torsten Lodderstedt <tors...@lodderstedt.net>
To: Karim <medkarim.esska...@gmail.com>; oauth@ietf.org
Sent: Friday, January 6, 2012 5:21 AM
Subject: Re: [OAUTH-WG] OAuth2 security considerations for client_id
Hi,
your observation is correct. OAuth security considerations recommend not to
rely on secrets for authenticating mobile apps (aka native apps) but to manage
them as so-called public clients. Please take a look onto section 10 of the
core spec for further details.
regards,
Torsten.
Karim <medkarim.esska...@gmail.com> schrieb:
Hello,
>
>
>When using User-agent flow with OAuth2 for mobile platform, there is no way
>for Authorization server to authenticate the client_id of the application.
>
>
>So, anyone can impersonate my app by copying the client_id (and so get all
>access tokens on my behalf), and this is applicable to Facebook, Foursquare,...
>
>
>This is not managed by OAuth2 ? Or I missed something ?
>
>
>For Web applications (Web server flow), access token is stored on the server
>side, and the client is authenticated using secret key.
>
>--
>Karim
>
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
