I want my OAuth Authorization Server Owner to show (information about) the clients that have been registered. Is it ok to use the client_id as public client identifier or should the client_id also be confidential (like client_secret)? I'd also share client metadata client_name and client_uri to show a list of registered clients but these are not problematic. Sure I could add another indirection by managing an internal mapping between public client ids and client_id but is this actually necessary from security point of view?
Asked
Active
Viewed 2,881 times
7
Jakob
- 213
- 3
- 5
1 Answers
7
Your client_id is like your username or e-mail address you use to authenticate your application/service to OAuth. It's not exactly top-secret, but putting it out in the public domain might also be undesirable.
Especially if you're going to combine it in a list along with the client_name and redirect_uri it becomes a little dangerous. Because you're giving out pretty much all the client information, it could become an interesting list for attackers. If they want to target any of the apps/services on your list, they already have a lot of information and still only need to "crack" the secret to identify themselves as your client. Of course, cracking the secret should not be a very easy task, but you are basically giving away some free information that's normally not part of the public domain.
I'd advise caution when you decide to go on with this, like not have pages/lists like this indexed by search engines (if it's an online list), stored on a public folder in your home/company network (if it's a digital list) or lying around on your desk (when it's a physical list).
Oldskool
- 420
- 2
- 10