> And what about multiple confidential clients being set up with the same > id/secret.
Bad idea. For security when you see one confidential client doing bad things you will need to revoke it individually. If multiple confidential clients have the same client secrets, thats no longer possible. -- Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805 > On Nov 4, 2015, at 8:01 AM, Sergey Beryozkin <sberyoz...@gmail.com> wrote: > > Hi All > > I'm having a discussion with my colleagues on the pros and cons of sharing a > client_id. > > For example, say we have N number of public mobile applications (the same > application package, an application instance on an individual phone), and one > approach is for each of these applications to have the same client_id. > > I've been trying to analyze why it can be bad and the only thing I can come > up with is that there will be no (easy) way to track which application > instance actually accessed a given RS. > > Can someone please explain what the pros and cons are of having the same > client_id shared between public client applications. > > And what about multiple confidential clients being set up with the same > id/secret. I suspect it is a bad idea but what is main line why it is a bad > idea, lets say it is all done in the protected network, no chance of the bad > clients interfering... > > > > Thanks, Sergey > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
