Confidential vs. Public Applications - Understanding Client Types
Vincent
Created: May 17, 2024
Updated: June 19, 2024
What are Confidential and Public Applications?#
Confidential and Public Applications refer to two classifications of client applications in OAuth 2.0, distinguished by their ability to securely handle credentials like client secrets. Confidential applications can securely store credentials and are typically server-side applications, while public applications cannot securely store credentials and are often client-side apps, such as mobile or desktop applications.
- Confidential applications can secure credentials and perform robust authentication.
- Public applications are unable to secure credentials and require different security measures.
- Both types use OAuth 2.0 for authentication but differ in their security capabilities.
Characteristics of Confidential Applications#
- Secured Environment: Runs on servers where direct access by users or attackers is restricted.
- Capability to Secure Secrets: Able to safely store client secrets used for authentication.
- Best Practices: Includes using managed identities, secure storage, and regular rotation of client secrets.
Characteristics of Public Applications#
- Run on Client Devices: Such as desktops, mobile devices, or within browsers where access to source code can occur.
- Inability to Secure Secrets: Cannot safely store client secrets due to the risk of exposure.
- Authentication Flow: Uses OAuth 2.0 flows that do not require client secrets for authentication.
Security Measures and Best Practices#
- For Confidential Applications: Utilize secure channels for transmitting secrets, use encryption for stored data, and implement strict access controls.
- For Public Applications: Employ strong client-side security measures such as PKCE (Proof Key for Code Exchange) to enhance the security of OAuth flows.
FAQs about Confidential and Public Applications#
What defines a confidential application in OAuth 2.0?#
A confidential application is one that can secure client credentials (like client IDs and secrets) and use these for authenticating with authorization servers.
Why can’t public applications hold credentials securely?#
Public applications run in environments like personal devices or browsers where the secure storage of credentials is not feasible, making them susceptible to attacks such as reverse engineering.
How do public and confidential applications handle token authentication differently?#
Confidential applications can use secrets to authenticate and obtain tokens, while public applications typically use alternative methods like PKCE to secure their token exchanges without needing a client secret.
Are there specific OAuth 2.0 flows designed for public applications?#
Yes, public applications often use the Authorization Code flow with PKCE, which enhances security for apps unable to hold secrets.
Share this article
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free
