I’ve been thinking how do we secure and protect our API as service provider like Onfido or Stripe.
For this example, imagine we’re service provider like Onfido. Short intro about Onfido, they provide kyc solution for businesses to verify people’s identity by using ID document, selfie photo, etc.
In order for our customer to use our service(API), developer need to register a user account and create an application from our dashboard, we will then provide the Client ID & Client Secret for their application.
Now we have Customer ABC and Customer XYZ. In theory, they’re our client and also the resource owner. We’re providing SDK for the clients so they can embed the UI in their web application or native mobile app. Or they can create their own UI and just call our API.
Based on what I read from the documentation, client secret is not recommended to store in native app or SPA. In this case, how can they proceed client credential flow without any backend server?
Or is it client credential flow is not even needed here? Without client credential flow, how do we protect our API from using by anonymous application?
Welcome to the Community and hope you had a great Christmas!
Based on what I read from the documentation, client secret is not recommended to store in native app or SPA. In this case, how can they proceed client credential flow without any backend server?
That’s correct, the Client Secret cannot be stored in the client’s application, and so they should not use the Client Credentials flow if they are building a SPA or mobile app.
Client Credentials flow is intended for scenarios where the exchange of credentials is not exposed to the browser or third-party applications at any point during authentication (including any front-end code or other native apps on a device, etc.) This flow is appropriate if no end-user authorization is required.
Because SPAs and native apps don’t have a way to securely store their Client Secret, they must use a different flow such as Authorization Code flow with PKCE. This method allows the Client to obtain an Access Token without providing a client secret.
Here is an article that explains how to determine which OAuth 2.0 flow to follow for different situations:
Hi Stephanie, thanks for the reply! Given the end user authentication is not needed in this example scenario, is it none of the OAuth flow needed here? In this case, how do we protect the API from using by anonymous application that didn’t register with us?