search

wagnerdelima / drf-social-oauth2

drf-social-oauth2 makes it easy to integrate Django social authentication with major OAuth2 providers, i.e., Facebook, Twitter, Google, etc.
https://drf-social-oauth2.readthedocs.io/en/latest/
MIT License
271 stars 34 forks source link

Client type #142

Closed konsalex closed 1 year ago

konsalex commented 1 year ago

Describe the bug

Not a bug, but did not find any discussion space to ask directly 🤷

You state in the docs that the client_type should be set to confidential, while from django-oauth-toolkit I can see that the client type is defined based on this RFC, which states that some cases should be Public, for example if we have a single-page app because incapable of secure authentication via any other means.

Is there any context I may be missing here? 🤔

wagnerdelima commented 1 year ago

A single-page app will be insecure either way if you give the application public or private ownership. The single-page app would need to have a token in order to authenticate with your API. Anyone could find it be inspecting the page itself via any modern browser.

That's all the context I know.

HoliSimo commented 1 year ago

Thanks for your answer @wagnerdelima but I'm not sure that I have understood.

It's clear that a SPA is not secure due to its nature. But are there some best practice to follow?