Trusted versus untrusted clients
摘自《Master Oauth2.0》
When dealing with various OAuth 2.0 providers, there are only two levels of trust: trusted and untrusted. The categorization of a client into either of these trust levels is determined by two simple capabilities: the ability to securely store and transmit information. These two levels can then be summarized as follows:
- A trusted client is an application that is capable of securely storing and transmitting confidential information. Because of this, they can be trusted to store their client credentials, tokens, or any other resources necessary for
their application. An example of a trusted client may be a typical 3-tier client-server-database application whereby the presence of a backend server often facilitates the secure storage and transmission of any confidential information. - An untrusted client is one which is incapable of securely storing or transmitting confidential information. Because of this, they cannot be trusted to store their client credentials, or any other confidential information. An example of an untrusted client is a browser-based application, say, an HTML/JavaScript application, where there is no server available for which to securely store information. All information must be stored in the browser, which is fully accessible to the users and should be considered public.