1

In connectedApp setting, there is an option called require secret for web-server flow. If I understand that correctly, if we choose that option, when using web-server flow, after authentication, the authorization code will still be sent to the client app. But the client app will only need the authorization code to request for access token - instead of authorization code + client secret.

This flow is actually pretty interesting to me? If the client app doesn't need to provide a client secret to verify, how does the extract round of authorization code provide extra security? Is it almost the same thing as user-agent flow?

Lance Shi
  • 12,989
  • 14
  • 78
  • 178
  • Duplicate of https://salesforce.stackexchange.com/questions/273714/oauth-2-0-user-agent-flow-why-is-it-okay-to-keep-the-refresh-token-when-it-is-c , one of our comments in there addresses this – identigral Aug 27 '19 at 01:17
  • @glls My question is more focused on why the web server flow without client secret make sense. This is a special case of web-server flow. And I am asking about the security perspective on this one as well. I don't think it is a same question – Lance Shi Aug 27 '19 at 01:18
  • 1
    @identigral your answer doesn't explain to that one didn't explain why web server flow without client key is more secure than the user-agent flow – Lance Shi Aug 27 '19 at 01:22
  • 1
    @LanceShi Authorization grant code without a client secret makes sense for so-called public clients (e.g. a native mobile app) that cannot protect a secret. The comment in https://salesforce.stackexchange.com/questions/273714/oauth-2-0-user-agent-flow-why-is-it-okay-to-keep-the-refresh-token-when-it-is-c says exactly this. Good luck! – identigral Aug 27 '19 at 01:41

0 Answers0