Help

When to generate client secret for an OAuth app?

Topic Labels: API
1095 1
cancel
Showing results for 
Search instead for 
Did you mean: 
Confused
4 - Data Explorer
4 - Data Explorer

The client secret is described as:

An optional private key that authenticates your integration when requesting an OAuth token.
You should only generate a client secret if you are requesting OAuth tokens from a server. Do not generate a client secret if you have a desktop, mobile, or web application directly issuing the OAuth token request.

Can anyone clarify why there is a difference between requesting a token from a server and from an application? Isn't using a client_secret generally more secure?

If I am creating an OAuth app that will be used by others to authenticate from different machines and possibly servers, should I add a client_secret or not?

1 Reply 1

My guess is that they wrote it that due to different OAuth 2.0 grant types: https://oauth.net/2/grant-types/

For the Auth Code grant types, you definitely need a client secret imo: https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type