If the secret is dynamically provisioned then you have a confidential client. Anyone reverse engineering their own installation of the native app would only extract their own client's credentials, as opposed to the shared secret of all installations. Having a confidential client means that requests to the token endpoint (code, refresh) are client authenticated, so PKCE wouldn't be needed.
On Tue, Nov 27, 2018 at 1:44 AM, Christian Mainka < Christian.Mainka=40rub...@dmarc.ietf.org> wrote: > Hi, > > we just stumbled upon this [1] statement: > "Except when using a mechanism like Dynamic Client Registration > [RFC7591] to provision per-instance secrets, native apps are > classified as public clients ..." > > What does this mean for us? Native App + Dynamic Client Registration = > Confidential Client? > Which threats are covered if Dynamic Client Registration is used on > Native Apps? > > Best Regards, > Vladi/Christian > > [1]: https://tools.ietf.org/html/rfc8252#section-8.4 > > -- > Dr.-Ing. Christian Mainka > Horst Görtz Institute for IT-Security > Chair for Network and Data Security > Ruhr-University Bochum, Germany > > Universitätsstr. 150, ID 2/463 > D-44801 Bochum, Germany > > Telefon: +49 (0) 234 / 32-26796 > Fax: +49 (0) 234 / 32-14347 > http://nds.rub.de/chair/people/cmainka/ > @CheariX > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
