The company I work for has created an API that is used by mobile devices. I've been reading up on using oAuth for mobile applications and from what I understand it is recommended that you use implicit grant rather than the embedding the secret key in your application.
Why is the implicit flow considered more secure in this case? Isn't this just allowing anyone to access your API regardless of whether they have the secret key or not?
Isn't this just allowing anyone to access your API regardless of whether they have the secret key or not?
Yes, The implicit grant lacks the ability to authenticate the client, which the other grants can do — further introducing attack vectors that the authorization grants, which require a client secret, do not experience.
The use case for implicit grant is authentication of end users and access by client to a resource (possibly owned by the end user) and should be used by SPA Apps (and any other Javascript/User-agent-based app).
If client authentication is important then a different grant must be implemented.
Implicit grant is more secure in the sense that it wouldn't expose the client secret, which can be shared across your internal applications.
Here's a good read on when to use which (OAuth2) grants and OIDC flows https://community.apigee.com/articles/41719/when-to-use-which-oauth2-grants-and-oidc-flows.html
The primary reason you should not use a secret key is that you cannot trust the device to protect the secret key. You probably understand that the secret key is not safe in a javascript client application because the javascript is usually somewhat easily readable. Likewise, a hacker or thief that gets their hands on a tablet device or smart phone may be able to obtain the binary for your application and extract the secret key from the source code. Secret keys are ideally only used for server to server communication, or for apps internal to your organization.
