I think the main difference is that User-Agent clients (aka JavaScript clients) cannot store a secret while Native Apps can safely store a secret, but the secret cannot be distributed (or, even if it can be distributed, it may not have much value).
The difference is important. Each native app instance could require a registration phase that would provide a unique secret and possibly Id. This registration phase could be completely automatic or could involve the end user. There have been proposals for both. How much value there is in such a registration is not clear to me. Marius On Thu, Jun 24, 2010 at 6:50 PM, Brian Dunnington <[email protected]> wrote: > In the 'User-Agent' profile, it says: > > "This user-agent profile does not utilize the client secret since the > client executables reside on the end-user's computer or device which > makes the client secret accessible and exploitable" > > However, the 'Native Apps' profile does not include such verbiage and > in fact specifically requires the use of the client secret. Native > apps' executables also reside on the end-user's computer or device, > making the client secret just as accessible and exploitable, so why > the difference? > > Specifically, as a native app developer, there is no good (secure) way > to distribute the client secret without it being compromised. Any > open-source application would have even more problems keeping their > secret secure, but even complied apps are easily exploitable. in this > scenario, there is no single, secure repository to keep the client > secret safe, so I would expect that the requirement of the client > secret for native apps be removed and made conformant with the > user-agent profile. > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
