Onfido? Stripe? Client Credential Flow?

Hi everyone! :raising_hand_man:

I’ve been thinking how do we secure and protect our API as service provider like Onfido or Stripe.

For this example, imagine we’re service provider like Onfido. Short intro about Onfido, they provide kyc solution for businesses to verify people’s identity by using ID document, selfie photo, etc.

In order for our customer to use our service(API), developer need to register a user account and create an application from our dashboard, we will then provide the Client ID & Client Secret for their application.

Now we have Customer ABC and Customer XYZ. In theory, they’re our client and also the resource owner. We’re providing SDK for the clients so they can embed the UI in their web application or native mobile app. Or they can create their own UI and just call our API.

Based on what I read from the documentation, client secret is not recommended to store in native app or SPA. In this case, how can they proceed client credential flow without any backend server?

Or is it client credential flow is not even needed here? Without client credential flow, how do we protect our API from using by anonymous application? :thinking:

By the way…Merry Christmas! :santa::christmas_tree:



onfido-stripe

Hi @austinchan!

Welcome to the Community and hope you had a great Christmas!

Based on what I read from the documentation, client secret is not recommended to store in native app or SPA. In this case, how can they proceed client credential flow without any backend server?

That’s correct, the Client Secret cannot be stored in the client’s application, and so they should not use the Client Credentials flow if they are building a SPA or mobile app.

Client Credentials flow is intended for scenarios where the exchange of credentials is not exposed to the browser or third-party applications at any point during authentication (including any front-end code or other native apps on a device, etc.) This flow is appropriate if no end-user authorization is required.

Because SPAs and native apps don’t have a way to securely store their Client Secret, they must use a different flow such as Authorization Code flow with PKCE. This method allows the Client to obtain an Access Token without providing a client secret.

Here is an article that explains how to determine which OAuth 2.0 flow to follow for different situations:

Happy New Year!

Stephanie

1 Like

Hi Stephanie, thanks for the reply! Given the end user authentication is not needed in this example scenario, is it none of the OAuth flow needed here? In this case, how do we protect the API from using by anonymous application that didn’t register with us?

Unfortunately, since end-user authentication is not required, there isn’t an available OAuth flow for this since public clients are involved.

Here is a related topic that may be helpful: Securing anonymous asp.net core 2.0 API

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.