<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00005lGJTzSAOOkta Classic EngineSingle Sign-OnAnswered2024-04-16T09:14:23.000Z2018-12-05T18:05:08.000Z2018-12-19T17:23:16.000Z

7sb5x (7sb5x) asked a question.

December 5, 2018 at 6:05 PM
Client Secret in native apps

We have developers that occasionally attempt to include the client secret in their native apps because they claim they can't get OAuth/OIDC working without it. There's a warning in the Okta UI that cautions against this. After days of searching around, everything I've read says that that is not secure and poses a threat, but nothing I've read actually gives an example of how this can be exploited.

 

Maybe I'm just not grasping the explanations, but what real-world scenario is there where, if someone has the client ID and client secret but not the user's credentials, they are able to do nasty deeds? Does the threat assume that they've compromised an account, created a fake app, and then impersonate the user on the fake app? Or is there a situation where you can make a call with just the client ID and client secret and collect information? So far when I've tried to do that, Okta just replies saying the access token is missing, a token you'd obtain by using user credentials.

 

Sorry if I'm being dense, but I want to be able to advise our devs with a concrete answer instead of just "It's a bad idea. Don't do it."

  • 4 answers
  • 1.76K views

  • jerrell.gary1.4491858992560479E12 (Presales - Americas Commercial, Emerging West)

    Hello Erik,

     

    Here is the reply from our Security Team listed below.

     

    The intention of the client secret is for the web application to communicate securely (think master password) with the authorization server. If the client secret is leaked then an attacker could communicate with the authorization directly as the application server and the authorization server would trust it. What an attacker can do depends on the scope of the token and what actions the token is granted to do. Think of it as leaking your private keys. 

     

    Impact is outlined here: https://tools.ietf.org/html/rfc6819#section-4.1.1

    Expand Post
    Selected as Best

  • jerrell.gary1.4491858992560479E12 (Presales - Americas Commercial, Emerging West)

    Hello Erik,

     

    Thank you for your post. We want to assist you to be successful in your Okta Org. To that end we want to make sure you have the best resources at your disposal for the task. I will need to refer you to our security team. They can be contacted at Security-Request@okta.com.

     

    You can always open a case with Okta Support by calling 1.800.219.0964. We can assist you further as well.

     

    Expand Post

  • jerrell.gary1.4491858992560479E12 (Presales - Americas Commercial, Emerging West)

    Hello Erik,

     

    Here is the reply from our Security Team listed below.

     

    The intention of the client secret is for the web application to communicate securely (think master password) with the authorization server. If the client secret is leaked then an attacker could communicate with the authorization directly as the application server and the authorization server would trust it. What an attacker can do depends on the scope of the token and what actions the token is granted to do. Think of it as leaking your private keys. 

     

    Impact is outlined here: https://tools.ietf.org/html/rfc6819#section-4.1.1

    Expand Post
    Selected as Best
This question is closed.
Loading
Client Secret in native apps