You know, it's right there in the OAuth RFC.

4.6. Secrecy of the Client Credentials

   In many cases, the client application will be under the control of
   potentially untrusted parties.  For example, if the client is a
   desktop application with freely available source code or an
   executable binary, an attacker may be able to download a copy for
   analysis.  In such cases, attackers will be able to recover the
   client credentials.

   Accordingly, servers should not use the client credentials alone to
   verify the identity of the client.

Reply via email to