Protect Your APIs With OAuthfleeting
- Référence externe :
OktaDev/20210826-Protect-Your-APIs-with-OAuth OAuth 2.1
JWT Access Tokens profile for OAuth 2.0 may be different from implementations
Yet, they did not change their implementation to follow the standard aftewards.
a public client CANNOT securely save a client secret
You must be prepared to the fact that someone else can do your flow, with your secret (https://youtu.be/i2wK-cTD_f0?t=1321).
In that case, it is important to show the user consent screen, because that may help the user find out that something might be wrong.
the user consent screen is not compulsory
Indeed, if using a first party app, there is no trust issue.
It only makes sense when using a third party app. In that case, you need to check that the user actually asked for that.