Client Types
Confidential Clients
Confidential clients are applications that can securely store client credentials (such as client secrets). These clients are typically server-side applications, such as web applications or backend services.- Examples: Web applications, backend services
- Security: Can securely store client secrets
- Use Cases: Suitable for scenarios where the client can maintain the confidentiality of its credentials.
Public Clients
Public clients are applications that cannot securely store client credentials. These clients are typically client-side applications, such as single-page applications (SPAs) or mobile apps.- Examples: Single-page applications (SPAs), mobile apps
- Security: Cannot securely store client secrets
- Use Cases: Suitable for scenarios where the client cannot maintain the confidentiality of its credentials.
Overview of Client Types
| Aspect | Confidential Clients | Public Clients |
|---|---|---|
| Definition | Can securely store client credentials (secret would be never be exposed) | Cannot securely store client credentials (secrets would be exposed in the client environment) |
| Examples | Web applications, backend services | Single-page applications (SPAs), mobile apps |
| Security | Higher security due to ability to store secrets | Lower security due to exposure of secrets |
| Authentication method | Uses client_secret for authentication | Typically uses PKCE or other methods without client_secret |
| Can use client secret? | Yes | No |
| Require redirect uri | Can use exact URIs or localhost but usually HTTPS | Often allows loopback URIs (127.0.0.1) or custom schemes (myapp://) or HTTPS origins; exact match or limited patterns. |
Clients in authorization flows
| Flow / Grant type | Confidential Clients | Public Clients |
|---|---|---|
| Authorization Code Grant | ✅ Allowed (recommended) | ⚠️ Allowed but strong discouraged without PKCE |
| Authorization Code with PKCE | ✅ Allowed | ✅ Allowed (Required) |
| Implicit Grant | ❌ Not Allowed | ❌ Not Allowed |
| Client Credentials Grant | ✅ Allowed | ❌ Not Allowed |
| Resource Owner Password Credentials Grant | ✅ Allowed | ⚠️ Allowed but strong discouraged |
| Device code Grant | ✅ Allowed | ✅ Allowed |
Choosing the Right Client Type
When selecting a client type, consider the following factors:- Application Architecture: Determine whether your application is server-side or client-side.
- Security Requirements: Assess the sensitivity of the data being accessed and the need for secure credential storage.
- User Experience: Consider how the client type will impact the user experience during authentication and authorization flows. Consult the Camall documentation for specific implementation details and best practices for each client type.
Supported Grant Types
Camall supports various OAuth 2.0 grant types for both confidential and public clients, including:- Authorization Code Grant
- Implicit Grant
- Client Credentials Grant
- Resource Owner Password Credentials Grant
- Refresh Token Grant Refer to the Camall documentation for detailed information on each grant type and its appropriate use cases.
Security Best Practices
- Always use HTTPS to protect data in transit.
- Regularly rotate client secrets for confidential clients.
- Implement proper scopes and permissions to limit access to resources.
- Monitor and log client activity for suspicious behavior.
- Educate users about the importance of secure authentication practices. By understanding the different client types and their use cases, you can make informed decisions to enhance the security and functionality of your applications using Camall.