Cidaas Client types

OAuth 2.0 defines two client/App types, based on their ability to authenticate securely with the authorization server (i.e., ability to maintain the confidentiality of their client credentials):

1. Public
2. Confidential

1. Public: Public clients cannot maintain the confidentiality of a client_secret, so the secret is not used for these apps. Both mobile apps and Javascript apps are considered public clients. Since anyone running a Javascript app can easily view the source code of the application, a secret would be visible there trivially. With mobile applications, it is often harder for a user to discover the app’s secret, but this has been done in the past, demonstrating that mobile apps must be considered public clients as well. (e.g., A client, ie, an installed native application or a web browser-based application which execute on a device used by resource owner).

2. Confidential: Confidentical clients are clients which have the ability to maintain the confidentiality of the client_secret. Typically these clients are only applications that run on a server under the control of the developer, where the source code is not accessible to users. These types of applications are commonly referred to as “web apps,” since they are most often accessed by a web browser. (e.g., client implemented on a secure server with restricted access to the client credentials).