When to generate client secret for an OAuth app?

The client secret is described as:

An optional private key that authenticates your integration when requesting an OAuth token.
You should only generate a client secret if you are requesting OAuth tokens from a server. Do not generate a client secret if you have a desktop, mobile, or web application directly issuing the OAuth token request.

Can anyone clarify why there is a difference between requesting a token from a server and from an application? Isn't using a client_secret generally more secure?

If I am creating an OAuth app that will be used by others to authenticate from different machines and possibly servers, should I add a client_secret or not?

Page 1 / 1

My guess is that they wrote it that due to different OAuth 2.0 grant types: https://oauth.net/2/grant-types/

For the Auth Code grant types, you definitely need a client secret imo: https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded