OAuth 2.0 Client Types: Public vs. Confidential Clients

In this blog, we’ll dive deep into Public Clients and Confidential Clients, explaining their differences, use cases, and security implications. By the end, you’ll have a clear understanding of which client type is suitable for your app and how to implement OAuth 2.0 securely.

What is an OAuth 2.0 Client?

An OAuth 2.0 client is any application that the Resource Owner (the user) grants access to their resources through OAuth 2.0. When setting up an OAuth 2.0 Authorization Server, you’ll need to define which applications are considered OAuth 2.0 clients. Client types are categorized based on whether the application can securely store credentials, particularly the Client Secret. The Client Secret is essentially the “password” for the application, used to authenticate the client with the Authorization Server.

The Key Difference Between Public and Confidential Clients

The main distinction between Public Clients and Confidential Clients lies in how they store and manage credentials:

• Public Clients: These are applications that cannot securely store secrets, such as the Client Secret. Think of these as client-side applications, where the environment is largely controlled by the user (e.g., mobile apps, Single Page Applications (SPAs), and desktop apps).
• Confidential Clients: These are applications that can securely store secrets and are typically server-side applications, such as web apps or enterprise-level systems running on controlled servers.

Choosing the correct client type is crucial for ensuring secure OAuth 2.0 implementation and avoiding vulnerabilities like unauthorized access and data leaks.

Public Clients: Understanding the Risks and Use Cases

Public Clients are typically applications that run in environments controlled by the user, where they cannot securely store sensitive information such as the Client Secret. This makes them more vulnerable to attacks and leaks, as malicious actors can easily access and misuse sensitive data.

Characteristics of Public Clients

Public Clients are typically:

• Browser-based apps: Single Page Applications (SPAs) built with JavaScript frameworks like React, Vue.js, or Angular.
• Native mobile apps: Applications built for Android, iOS, or other mobile operating systems.
• Desktop apps: Software running on local machines, such as image editors or media players.
• Smart TV apps: Apps designed for smart TVs that also need to access cloud resources.

Why Public Clients Cannot Store Secrets Securely

Public Clients cannot store the Client Secret securely because the environment in which they run is largely controlled by the user. This means that anything stored in the app—such as variables, credentials, or tokens—can potentially be exposed. For example:

• In SPAs, the entire application code (including any sensitive data) is loaded on the client’s browser, making it easy for attackers to inspect and extract sensitive information.
• In mobile apps, while the app is running on a mobile device, attackers could exploit vulnerabilities in the operating system to access sensitive credentials.
• In smart TV apps, user control over the environment means credentials can be intercepted and misused.

Examples of Frameworks and Technologies

Some common frameworks used to build Public Clients include:

• React, Angular, and Vue.js for SPAs
• Swift for iOS and Java/Kotlin for Android for mobile applications
• Electron for building cross-platform desktop apps
• Tizen and WebOS for smart TV apps

Security Risks

Because Public Clients cannot securely store secrets, they are prone to man-in-the-middle attacks and token theft. Any access tokens or credentials stored locally can be intercepted by attackers if the app is compromised or insecurely designed.

Confidential Clients: Secure Authentication and Credential Storage

Confidential Clients are applications that run in secure, server-side environments where the developer controls the infrastructure. These clients are capable of securely storing sensitive credentials, including the Client Secret, and can safely authenticate themselves with the Authorization Server.

Characteristics of Confidential Clients

Confidential Clients typically include:

• Server-side applications: These are web applications that run on a server and handle business logic and user authentication, like e-commerce websites or enterprise applications.
• Enterprise systems: Large applications built to handle complex tasks and data, often requiring secure integration with other services.

Why Confidential Clients Can Store Secrets Securely

Unlike Public Clients, Confidential Clients are hosted on secure servers, which allows them to store credentials like the Client Secret safely. These credentials are stored as environment variables or in secure secret management systems. Since the environment is controlled by the developer, there is much less risk of exposing secrets.

Examples of Frameworks and Technologies

Common frameworks used to build Confidential Clients include:

• Laravel (PHP)
• Spring (Java)
• Django (Python)
• Node.js (JavaScript)
• ASP.NET Core (C#)

Security Benefits

Confidential Clients benefit from several security advantages:

• They can authenticate securely with the Authorization Server without exposing credentials.
• Sensitive information like access tokens can be stored and transmitted securely.
• Server-side storage ensures that the Client Secret is never exposed to the end user or potential attackers.

Common Use Cases

Confidential Clients are ideal for applications that need to securely manage user data and perform sensitive operations. They are typically used in:

• Web applications that handle user authentication and session management.
• Enterprise applications that need to integrate with multiple internal services.
• Backend services that need to authenticate and interact with other APIs securely.

Choosing Between Public and Confidential Clients

When configuring your Authorization Server and deciding which client type to use, it’s important to consider the environment in which your app runs and how it handles sensitive data.

• Public Clients are appropriate for applications that must run in user-controlled environments, such as mobile apps or browser-based applications. However, developers must take additional security precautions, like using PKCE (Proof Key for Code Exchange), to secure these apps.
• Confidential Clients should be used when the application runs on a server controlled by the developer, where credentials can be stored securely.

Conclusion: The Right Client Type for Your Application

Choosing between Public Clients and Confidential Clients is a critical decision when implementing OAuth 2.0 for your application. Understanding the differences between these two types of clients helps you choose the correct configuration and OAuth 2.0 flow for your use case, ensuring both security and user data protection.

• Use Public Clients for applications that run in environments controlled by the user (e.g., mobile apps, SPAs, desktop apps).
• Use Confidential Clients for server-side applications that can securely manage sensitive credentials.

Stay tuned for my next post, where we will explore OAuth 2.0 scopes—how they define and limit what data apps can access, ensuring your resources remain secure.