Is it safe to store 'client_secret' on mobile device when using OAuth?

5
votes

I'm building Laravel backend to authenticate users from mobile devices. and using https://github.com/lucadegasperi/oauth2-server-laravel

Users from mobile will call /oauth/callback to get Access Token

I'm planning to use 'password' as grant type. So in that case the user will send the following: - username & password - client ID + SECRET

I feel there's something wrong in storing secret on mobile device. Is that good practice? When doing reverse engineering for and app, the secret can be detected easily.

Can anybody explain best practices when using OAuth2

1
laraveloauth

1 Answers

2
votes

OAuth 2.0 assumes that native applications cannot keep client credentials confidential. The following is an excerpt from RFC 6749, "9. Native Applications".

Native applications that use the authorization code grant type SHOULD do so without using client credentials, due to the native application's inability to keep client credentials confidential.

A client application that is in an environment where it is difficult to keep client credentials confidential is called public client (RFC 6749, "2.1. Client Types"). Public clients should not make an authorization and/or token request with a client secret. (but it is allowed.)

If your mobile devices are smartphones, you should not embed a client secret in your application. On the other hand, if your mobile devices are special ones and you think it is practically impossible for crackers to extract a client secret from your application in the mobile devices, using a client secret will enhance security.