I am developing the OAUTH 2 REST API for the website I am working on. We have an official native mobile application that uses this API and plans to open the API to third-party developers. Our native mobile application will have more permissions than third-party applications. I do this by setting permissions based on client id or application id. I use password grant typefor the official application and implicit grant typefor third-party applications.
But the problem is that, since we do not use client_secret, in any case, a third party can get elevated permissions by somehow stealing our official one client_idand using it to gain access to the elevated permissions in the API, which is exclusive for the official application.
Is there any way to prevent this? How does the official Facebook or Twitter app do it?
source
share