How to Secure Oauth 2.0 Client ID and Client Secret

0 投票
最新提问 用户: (120 分)

When an Android oauth 2.0 client application has client ID and client Secret hard-coded in it. it is very easy to decompile the application and retrieve the credentials. Then What is the use of providing these credentials to oauth server.

发表于 用户: (140 分)
Who said, that you have to hard code your client id/secret?


0 投票
最新回答 用户: (1.9k 分)

It is not recommended to hard-code client_id and client_secret into a native app i.e. to use what is called a "confidential client" in a mobile app scenario exactly because the client_secret cannot be kept a secret.

A native app would typically be a "public client" to the Authorization Server i.e. one that does not have a client_secret. Security would come from the fact that a unique redirect URI is registered and additional OAuth features like PKCE ( are applied.

For general recommendations on using OAuth 2.0 for native apps see:, especially the security considerations at:

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。