Why does OAuth distinguish between web server apps and browser based apps?

Question

I've been reading on OAuth2 here: http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified , and in the authorization section, it says that OAuth has different modes depending on the use case.

Two of the use cases which are mentioned are browser based apps and web server apps. My first question is what's the difference between web server apps and browser based apps? I thought web servers apps were apps running on a server that runs some kind of HTTP server and handles the GET/POST requests. How is that different from browser based apps? My second question is why does OAuth distinguish between the two of them?

Answer 1

Those two modes differ in where does the actual logic which requests and processes OAuth exchanges reside and complexity of the exchanges between OAuth Authorization server and Client.

For web server applications (authorization code grant) a user typically requests OAuth operations through browser, but it is the backend (or at least server-side) of the application which performs all redirects and handles/verifies the response from the Authorization server. In browser-based applications (implicit grant) it is the front-end of the application (typically JavaScript running inside a web page) which does all the work.

These modes also differ in their security aspects. In the first one the OAuth server is authenticating the client applications (= it's making sure it knows to whom it's sending the tokens). The second approach is meant to be as simple as possible (to simplify processing in JavaScript) and doesn't perform client verification. It is also not allowed to send refresh tokens using the latter approach. Another security issue of the latter approach is that it has bigger chance of exposing the token to attackers (the token is sent as a fragment in URL, as opposed to exchanging authorization code for access token).

You can find some more details in OAuth 2.0 Threat Model and Security Considerations.

The reason why OAuth 2 framework includes the implicit grant is to offer a simplified and therefore easy to implement approach to OAuth for certain class of applications.