May 23, 2021 OAuth 2.0 Series
OAuth 2.0 client roles are broken down into a series of types and configurations that are described in this section.
The OAuth 2.0 specification defines two client types:
A confidential client is able to keep the client password confidential externally. T he client password is assigned to the client app by the authorization server. T o avoid spoofing, the password is used by the authorization server to identify the client. For example, a confidential client can be a web application, and no one can access the server and see the password except the administrator.
Public clients cannot keep client passwords confidential. F or example, a mobile phone app or a desktop app embeds a password inside. S uch an application could be cracked and the password compromised. T his is the same as a JavaScript app running on a user's browser. Users can use a JavaScript debugger to find the application and view the client password.
The OAuth 2.0 specification also refers to a series of client profiles. T hese profiles are specific types of applications, which can be confidential or public. These profiles are:
A Web app is an app that runs within a Web server. I n fact, web applications typically consist of browser and service-side components. I f the Web application needs access to a resource server, such as a Facebook account, then the client password is saved on the server. Therefore, the password is confidential.
Here's a confidential client application:
Confidential client: Web app
User-agent apps such as JavaScript apps that run on a browser. T he browser is the user agent. T he user agent app can be saved on a web server, but the application runs the downloaded user agent only once. An example is like a JavaScript game that can only run in a browser.
Here's a client user agent app:
Public client: User agent app
Native apps such as desktop apps or mobile apps. N ative applications are typically installed on a user's computer or device (mobile phone, tablet, etc.). Therefore, the client password is also stored on the user's computer or device.
The client-native application is illustrated here:
Public client: Local app
Some apps are a mix of these configurations. F or example, a local application can also have a server section to do some work (such as data storage). T he OAuth 2.0 specification does not mention this hybrid. However, in most cases, hybrids will be able to use these profiles for authentication models.