So, in M2M applications, it’s very easy to select scopes for the API and control, what can be done using clientId & clientSecret.
But what are the risks of leaked clientId & clientSecret in Regular Web Application?
Hey there @toomuchtimeondocs !
Because there is no user interaction, leaked M2M credentials (depending on what they are authorized for) could be used to create access tokens directly, whereas a Web app typically does require user interaction and consent.
I think the primary concern with leaked Web app credentials could be the ability to impersonate your application resulting in potential access to resources. For example, with the web app client secret a bad actor could impersonate your app, intercept an authorization code in an authorization code flow and exchange it for tokens.
Because the Web app credentials aren’t able to be authorized by the Management API, they wouldn’t be able to use any methods against it.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.