1

I'm setting up a web service with OAuth2 authorization/authentication. If I understand correctly, the implicit flow should be used for native desktop apps, because decompilation and other processes could potentially expose the client secret.

Implicit flow requires a valid redirect URI, but I don't understand how these should be used. I am not looking for 3-legged authentication through a facebook app or something, but 2-legged with direct access to my own web services. Like the Facebook and Twitter apps themselves do.

My question is: is OAuth2 implicit flow always 3-legged? And if so, how do Facebook and Twitter's apps ensure that the client secret isn't leaked? If they are using implicit flow, how does their redirecting scheme work?

Stijn Frishert
  • 1,543
  • 1
  • 11
  • 32

2 Answers2

3

I had the same question today and couldn't find any answers or posts either.

So what I have discovered so far:

1) Yes, implicit grant flow always consists of two/three steps (depending on how you count):

  • User is redirected to the authorisation page;

  • User confirms he grants access to this app;

  • User is redirected back to the consumer app, access token is passed as a hash fragment parameter.

2) Client secret is not used at all with implicit grant flow. It wouldn't make sense anyway - it would be in the plain sight. However, there are still some security measures: implicit grant usually requires a pre-approved redirect URL, so only specified trusted URL will ever get an access token.

3) Yes, I also noticed that even though Facebook/Twitter use OAuth2 heavily, you won't see these steps when you use their own web application. I have several suspicions:

  • They may not use OAuth2 for their own web apps at all;

  • They may pass the token using their own, non-documented flow;

  • They may pre-authorize their own apps so that authorization step is skipped.

I personally chose the latter option for my application. I created a list of internal applications that don't require explicit approval from the user.

Denis Mysenko
  • 6,366
  • 1
  • 24
  • 33
0

Redirect-URI is necessary because the service provider needs to redirect back to your application after the login/user-consent. In case of the desktop application, you will probably open a browser for the login/user-consent and need to get the authorization code or access token back into your desktop application.

Basically there are 3 ways to do this: Using OAuth 2 with desktop c# Application

Google nicely describes the problematic and available options: https://developers.google.com/accounts/docs/OAuth2InstalledApp

Community
  • 1
  • 1
Vilmantas Baranauskas
  • 6,596
  • 3
  • 38
  • 50