@jgayfer I also might not be using it properly.
I’m in a OOB app (CLI). So I agree, I don’t need the client_secret for the original auth request. But once that request is done, I’m returning to my terminal and *need* to address the OAuth2 token URL with the client_secret to get my token.
Maybe that’s inherent to the very nature of the type of app I’m coding. Maybe I shouldn’t do this with OAuth2. Maybe I’m doing something wrong. But I cannot figure it out another way 🤷
@mortal @jgayfer A client that cannot securely store its secret is titled public. For example CLI and mobile apps are usually public ones. For instance, secret of a Google cloud CLI is a publicly known string.
There are methods that allow public clients to mitigate some risks related to the fact that their secret is public. For example DPoP allows one to bind access and refresh tokens to a specific private key that could be stored on a specific device (bind user authorization to the device).
mortal
Anton