Re: [OAUTH-WG] CORS and public vs. confidential clients

Bill Burke <> Fri, 28 March 2014 16:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B6E1E1A00D9 for <>; Fri, 28 Mar 2014 09:52:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NnIh7Qdx-CTc for <>; Fri, 28 Mar 2014 09:51:58 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A9AED1A00FB for <>; Fri, 28 Mar 2014 09:51:58 -0700 (PDT)
Received: from ( []) by (8.14.4/8.14.4) with ESMTP id s2SGptdf014127 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 28 Mar 2014 12:51:55 -0400
Received: from [] ( []) by (8.14.4/8.14.4) with ESMTP id s2SGpsTL008556; Fri, 28 Mar 2014 12:51:55 -0400
Message-ID: <>
Date: Fri, 28 Mar 2014 12:51:57 -0400
From: Bill Burke <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Prateek Mishra <>
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on
Cc: IETF oauth WG <>
Subject: Re: [OAUTH-WG] CORS and public vs. confidential clients
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Mar 2014 16:52:01 -0000

The thread model doc was really great, but I still couldn't find 
anything concrete on what guarantees you lose if you use a public client 
vs. a confidential one.  Honestly, I'm just trying to have the right 
info to guide users on what auth flow to use and the pros/cons.

On 3/27/2014 7:59 PM, Prateek Mishra wrote:
> Bill - as you are referencing CORS in your message, I assume you are
> discussing a Javascript-only (browser) client. I believe the implicit flow
> was designed for this case and this flow never involves a confidential
> client.
Yes, it is a Javascript (browser) client.  Implicit flow doesn't allow 
for a refresh token.  Our browser javascript code uses CORS also when 
participating in the access code grant flow.

Our access codes are digitally signed, and unique.  They can only be 
turned into an access token once.  They are associated privately with a 
redirect URI, state, and client_id.  And they have a timeout.  We do 
validation/verification at each part of the flow to make sure the 
redirectURI, state, and/or client_id is valid.  I just want to know what 
to tell users what security implications there are if they use a public 
client in this scenario.

> Confidential clients may be used with the other flows (code,
> resource,..) that are capable of making a TLS call to a Token Endpoint.

BTW, Is there a better list for these types of questions?  Didn't have a 
lot of luck on the Google Group for OAuth.

Bill Burke
JBoss, a division of Red Hat