Good question! The OAuth Authorization Code flow doesn't ... • Aaron Parecki

Khor https://twitter.com/neth_6 • Aug 8
Got a #IndieAuth question. Since there is no client pre-registration, there is no client secret. Thus during code/access token exchange no client secret is used. Less secure than Authorization Code and more like Implicit perhaps?

Good question! The OAuth Authorization Code flow doesn't require a secret either. For example mobile apps can't use a secret, but still use the Auth Code flow. There are many benefits to the Auth Code flow over Implicit, I wrote some about that here https://developer.okta.com/blog/2018/05/24/what-is-the-oauth2-implicit-grant-type#when-to-use-the-implicit-grant-type

Portland, Oregon, USA • 64°F

Wed, Aug 8, 2018 6:25am -07:00

3 replies
Have you written a response to this? Let me know the URL:
- Khor twitter.com/neth_6
  
  Got it. I read the link you shared but I must have missed the part about Auth Code flow with no client secret. Sorry.
  
  Wed, Aug 8, 2018 2:46pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  Regular OAuth 2.0 also supports the Authorization Code flow with no secret. In fact, many companies recommend Auth Code w/no secret instead of Implicit.
  
  IndieAuth is like taking Auth Code w/no secret and adding back some layers of security because of the client ID being a URL.
  
  Wed, Aug 8, 2018 2:42pm +00:00 (via brid-gy.appspot.com)
- Khor twitter.com/neth_6
  
  The link you shared is for Implicit? Implicit does not use client secret. Does this mean IndieAuth is more similar to Implicit than Auth Code but is more secure as the client id has to be redirect uri?
  
  Wed, Aug 8, 2018 2:40pm +00:00 (via brid-gy.appspot.com)

Posted in /replies using quill.p3k.io