Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Difference between Oauth in frontend and backend

I can implement Oauth in React-frontend(https://www.npmjs.com/package/react-google-login, input taken is only clientID) as well as SpringBootSecurity-backend(https://github.com/spring-guides/tut-spring-boot-oauth2, input taken is clientID as well as clientSecret). What is the difference between these two ways? More specifically how is the presence and absence of clientSecret affecting these two ways.

like image 766
Varun V Avatar asked Oct 24 '25 08:10

Varun V


1 Answers

Without a client secret, the React frontend (perhaps a SPA: Single Page App) completely relies on the redirect uri that was registered with the auth server to provide some semblance of security. This uri was previously registered with the auth server. However, it is not as secure since the malicious app/user can tap into the communication on the redirect uri. Mobile apps suffer as well in this circumstance. And the client id is available just by inspecting the source in a browser. Therefore the malicious app has all the information to mount an attack and access the token. This is known as OAUTH "implicit" grant type flow. And it leads to token leakage or token replay.

To circumvent this issue, PKCE (Proof Key for Code Exchange) comes into the picture. Details here. Provides information on the reason for its existence in terms of shortcomings of the implicit flow that you document in your question.

The PKCE RFC here also details attack scenarios.

There is also this answer that answers very well on this aspect on this very site.

like image 132
Khanna111 Avatar answered Oct 26 '25 01:10

Khanna111



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!