0

I have some native desktop apps that needs to authenticate as clients with an Authorization Server implementing OAuth2 and OIDC. Since I do not have to impersonate an user on my Authorization Server I've chosen "Client Credentials" as the flow to authenticate them. This way I can authenticate this applications as clients on the Authorization Server.

I was wondering if this flow is suited for a native desktop app or, since I cannot consider this type of applications as confidential clients (I probably do not have a secure way to store the client secret), I should use a different Oauth2 flow that does not include a client_secret.

Does the distinction between public and confidential clients flow make sense regarding the Client Credentials? Or is it fine to have possibly unsecure secrets store while handling a M2M authentication flow?

bertonc96
  • 772
  • 2
  • 13
  • 24

1 Answers1

1

You should use the authorization code flow and follow advice from RFC8252, to receive the login response on a loopback or private URI scheme based URI. You can run my code example to see how this works.

Client credentials flow is only usable by backend components when they act as OAuth clients. In a desktop app it would result in no real security, where anyone who can run the app can access data without authentication. The credentials are then also easily stolen by a malicious user.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24