Be prescriptive on how client authentication is used

aaronpk / oauth-first-party-apps

https://datatracker.ietf.org/doc/html/draft-parecki-oauth-first-party-apps

Other

10 stars 8 forks source link

Be prescriptive on how client authentication is used #7

Closed PieterKas closed 1 year ago

PieterKas commented 1 year ago

If client authentication is used, don't ship client secrets in the binary. e.g. use dynamic client registration instead. Look at what PAR and ensure it can be used here.

gffletch commented 1 year ago

Maybe just put a link to best practices for native apps spec.

aaronpk commented 1 year ago

Covered in Client Authentication section in Security Considerations https://aaronpk.github.io/oauth-first-party-native-apps/draft-parecki-oauth-first-party-native-apps.html#name-client-authentication