I'm creating a mobile app that uses password authentication type through oAuth 2.0. I need to send four pieces of information to get an access token:
- client id
- client secret
- username
- password
My request looks something like this:
curl https://myapi.com --request POST --data 'grant_type=password&username=me@gmail.com&password=12345&client_id=123456&client_secret=!1@2#3$4%5^' --header "Content-Type: application/x-www-form-urlencoded"
I feel like it's not very secure to keep the client secret on the mobile device but I'm at a lose as to where I should put it. At the same time wouldn't exposing the client secret on the phone make this as secure as an implicit grant type—not as secure but secure enough. Where should I put my client secret?
Thanks
