Re: [OAUTH-WG] OAuth2 security considerations for client_id

Torsten Lodderstedt <> Fri, 06 January 2012 13:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A63B221F87EF for <>; Fri, 6 Jan 2012 05:22:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CnBMEwnkvpf8 for <>; Fri, 6 Jan 2012 05:22:04 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E0EFC21F85B6 for <>; Fri, 6 Jan 2012 05:22:03 -0800 (PST)
Received: from [] (helo=[]) by with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <>) id 1Rj9k9-0005my-AI; Fri, 06 Jan 2012 14:22:01 +0100
References: <>
User-Agent: K-9 Mail for Android
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----5WNUD2RWEZCFB1KRA5LQWRQFTTCXFV"
From: Torsten Lodderstedt <>
Date: Fri, 06 Jan 2012 14:21:45 +0100
To: Karim <>,
Message-ID: <>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Subject: Re: [OAUTH-WG] OAuth2 security considerations for client_id
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 06 Jan 2012 13:22:04 -0000


your observation is correct. OAuth security considerations recommend not to rely on secrets for authenticating mobile apps (aka native apps) but to manage them as so-called public clients. Please take a look onto section 10 of the core spec for further details.


Karim <> schrieb:


When using User-agent flow with OAuth2 for mobile platform, there is no way for Authorization server to authenticate the client_id of the application.

So, anyone can impersonate my app by copying the client_id (and so get all access tokens on my behalf), and this is applicable to Facebook, Foursquare,...

This is not managed by OAuth2 ? Or I missed something ?

For Web applications (Web server flow), access token is stored on the server side, and the client is authenticated using secret key.