As I stated, use a public client (i.e. w/o a secret). That’s the same recommendation as for native apps (https://tools.ietf.org/html/bcp212). Clearly, the AS must take this into consideration when determining the level of trust it puts into the client‘s identity.

And do not forget to use PKCE in order to detect code injection attempts. Please take a look into https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-3.1 for the full set of security guidelines.

OAuth 2

Learnings, Patterns and Ideas around use of OAuth 2.0

Torsten Lodderstedt

Written by

OAuth 2

OAuth 2

More From Medium

Top on Medium

Ed Yong
Mar 25 · 22 min read

26K

Top on Medium

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade