Regular Web Application - clientSecret dangers

So, in M2M applications, it’s very easy to select scopes for the API and control, what can be done using clientId & clientSecret.

But what are the risks of leaked clientId & clientSecret in Regular Web Application?

  1. Can someone realistically use id/secret form Regular Web App to login on someones account?
  2. Can some use the any methods of Management API? ( i tried to get mgm token, but failed, so this is probably not possible)
  3. What other actions are possible with leaked id/secret?

Hey there @toomuchtimeondocs !

Because there is no user interaction, leaked M2M credentials (depending on what they are authorized for) could be used to create access tokens directly, whereas a Web app typically does require user interaction and consent.

I think the primary concern with leaked Web app credentials could be the ability to impersonate your application resulting in potential access to resources. For example, with the web app client secret a bad actor could impersonate your app, intercept an authorization code in an authorization code flow and exchange it for tokens.

Because the Web app credentials aren’t able to be authorized by the Management API, they wouldn’t be able to use any methods against it.