Because mobile applications cannot guarantee client_secret privacy, they can use a grant type that does not require it. This is an Implicit Grant . The idea is to redirect the mobile browser to the authorization endpoint using the response_type=token parameter:
https://example.com/authorize?response_type=token&client_id=CLIENT_ID&redirect_uri=http://REDIRECT_URI
After authenticating the user against the identity provider, the browser will be redirected back to redirect_uri specified in the authorization request and transmitted the access token:
http://REDIRECT_URI/
Then you can intercept the request for this specially created URL in the browser (by subscribing to the corresponding events that are triggered when the URL is changed), extract the access token that is transmitted, and use this token to make authenticated requests.
If someone gets a customer ID, can they use them to create a duplicate application? How does security work in the above scenario?
OAuth 2 is not intended to protect the intellectual property of your application. This is an authentication protocol. With or without him, anyone can duplicate your application. The idea is that without client_secret application cannot use the required grant types and usually provides more permissions and areas for issued access tokens.
Darin Dimitrov
source share