Does anyone have an approachable article for "don't trust the client"? Best I've found is the OAuth threat model RFC (RFC 6819), but it's a bit too long to ask others to read for a quick overview :) (not work related)
3
Good question. If you find anything, let me know and I can add a link to it on oauth.net/2/native-apps/
1
ooh, the Google link is at least helpful for "look, I'm not crazy, Google don't trust client secrets on Windows" :)
1
Replying to @fredemmott
oh you're definitely not crazy, I just sometimes forget that not everybody already knows this :-) Most of what I've written on this starts with the assumption that the reader already knows mobile apps can't keep secrets.

Jan 14, 2019 · 6:10 PM UTC