Types of Application - Confidential vs Public Clients
I have asked this question multiple times during Interviews :
What are the various types of Applications, and how do you plan to use various Authentication and Authorization methods based on that? Let's start with Custom Applications.
In the context of software applications, particularly those that use OAuth 2.0 for authorization, the terms "confidential" and "public" clients refer to the types of applications based on their ability to securely store credentials such as client secrets. Here's an overview of the differences:
Confidential Clients
- Definition: Confidential clients are applications that can securely store credentials and confidential information. This capability typically stems from the client's ability to host the credentials on a secure server.
- Examples: Server-based applications like web apps running on a backend server where the server can securely store the client secret and other authentication data.
- Security: These clients can maintain the confidentiality of their authentication credentials. They authenticate with the authorization server using methods such as client secrets or private keys.
- Use Case: Often used in environments where the application can securely interact with the authorization server without exposing its credentials, such as backend services.
Public Clients
- Definition: Public clients are applications that cannot securely store credentials. This is usually because they operate in environments that are accessible to the user or where the application's storage is potentially accessible by others.
- Examples: Client-side applications like mobile apps and desktop applications, or single-page applications (SPAs) running in a browser.
- Security: These clients do not hold secrets because they cannot guarantee the safe storage of these secrets. They rely on other means for authentication, such as redirection-based flows where the credential does not need to be stored or is only temporarily accessible in memory and never stored.
- Use Case: Typically found in situations where the application environment cannot securely store secrets due to greater exposure to end-users or the possibility of reverse engineering.
Key Differences
- Ability to Store Secrets Securely:
- Confidential Clients: Can securely store and manage secrets (e.g., client secrets, private keys).
- Public Clients: Unable to store secrets securely due to their execution environment.
- OAuth 2.0 Flows:
- Confidential Clients: Often use flows that require storing secrets, like the client credentials flow or other server-side flows.
- Public Clients: Use flows designed to cope with environments where secrets cannot be safely stored, like the implicit flow or authorization code flow with PKCE (Proof Key for Code Exchange).
- Environment:
- Confidential Clients: Operate in controlled environments like server-side applications.
- Public Clients: Operate in environments exposed to users, such as browsers or mobile devices.
Understanding the differences between confidential and public clients is crucial for implementing secure OAuth 2.0 authorization strategies that are appropriate for the type of application and its operating environment. This ensures that the application adheres to best practices in terms of security and user data protection.