OAuth 2.0 Demystified: Client Types

From the Four Roles post, we know that the alternative banking app is knows as the client in OAuth 2.0. OAuth 2.0 defines two types of client applications, viz., a confidential client and a public client.

Confidential Client

The confidential client is a client application that can keep its credentials confidential. For example, a server application with restricted access to its credentials.

Public Client

The public client is a client application that cannot keep its credentials confidential. For example, a browser-based application or a native application.

Profiles

The OAuth 2.0 specification has been designed around three client profiles, viz.,

1. A web application: The specification considers a web application to be a client application that runs on a web server accessed by resource owners using a browser. That is, the client credentials and tokens never leave the web server and are not accessible by the resource owner. Therefore, it is a confidential client.
2. User-agent-based application: A user-agent-based application is considered to be a public client. It is a public client because the code is downloaded to the browser and executed on the device used by the resource owner. This typically refers to Angular or React apps, amongst others.
3. Native application: A native application is a client application that is installed and running on the resource owner's device. It is considered a public client because the data and credentials are accessible by the resource owner.