Confidential vs. Public Applications - Understanding Client Types
Explore the differences between confidential and public client applications in terms of security, capabilities, and use cases in authentication protocols.
What are Confidential and Public Applications?#
Confidential and Public Applications refer to two classifications of client applications in OAuth 2.0, distinguished by their ability to securely handle credentials like client secrets. Confidential applications can securely store credentials and are typically server-side applications, while public applications cannot securely store credentials and are often client-side apps, such as mobile or desktop applications.
- Confidential applications can secure credentials and perform robust authentication.
- Public applications are unable to secure credentials and require different security measures.
- Both types use OAuth 2.0 for authentication but differ in their security capabilities.
Characteristics of Confidential Applications#
- Secured Environment: Runs on servers where direct access by users or attackers is restricted.
- Capability to Secure Secrets: Able to safely store client secrets used for authentication.
- Best Practices: Includes using managed identities, secure storage, and regular rotation of client secrets.
Characteristics of Public Applications#
- Run on Client Devices: Such as desktops, mobile devices, or within browsers where access to source code can occur.
- Inability to Secure Secrets: Cannot safely store client secrets due to the risk of exposure.
- Authentication Flow: Uses OAuth 2.0 flows that do not require client secrets for authentication.
Security Measures and Best Practices#
- For Confidential Applications: Utilize secure channels for transmitting secrets, use encryption for stored data, and implement strict access controls.
- For Public Applications: Employ strong client-side security measures such as PKCE (Proof Key for Code Exchange) to enhance the security of OAuth flows.
FAQs about Confidential and Public Applications#
What defines a confidential application in OAuth 2.0?#
A confidential application is one that can secure client credentials (like client IDs and secrets) and use these for authenticating with authorization servers.
Why can’t public applications hold credentials securely?#
Public applications run in environments like personal devices or browsers where the secure storage of credentials is not feasible, making them susceptible to attacks such as reverse engineering.
How do public and confidential applications handle token authentication differently?#
Confidential applications can use secrets to authenticate and obtain tokens, while public applications typically use alternative methods like PKCE to secure their token exchanges without needing a client secret.
Are there specific OAuth 2.0 flows designed for public applications?#
Yes, public applications often use the Authorization Code flow with PKCE, which enhances security for apps unable to hold secrets.
About Corbado
Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →
Share this article
Table of Contents
