OAuth is a protocol that enables delegated access. Using a token, an entity (typically an application) can access protected resources on behalf of a resource owner (typically a user). These applications are referred to as clients.
The OAuth specification defines a client as follows:
An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).
Clients are used to obtain authorization.
In other words: Clients are applications that obtain access_tokens so that they can access resources on behalf of a user or themselves.
The definition is intentionally broad. As a result, in different architectures the concept of a "client" can be applied in different ways. In the case of a single-page application, for example, there are various ways to reason about what constitutes a client.
The OAuth 2.0 Specification (rfc6749) specifies two types of clients in section 2.1:
Confidential Clients are applications that can be entrusted with secrets.
This includes server-side applications, container workloads, and backend services.
These clients can authenticate using a client_secret or other secure methods.
They are typically allowed to use the client credentials flow,
and — depending on the authorization server — may access introspection endpoint.
Public Clients are applications that cannot securely store secrets.
Examples include JavaScript-based single-page applications (e.g. React, Angular, Vue, Svelte)
and native apps installed on a user's phone or computer.
These clients typically use the authorization code flow with PKCE to obtain tokens securely.
An overview:
| Public Clients | Confidential Clients | |
|---|---|---|
| Technology: | Single-Page or Native Apps | Server-Side Sites, Containers |
| Entrusted with a secret: | ✗ | ✓ |
| Available flows: | PKCE | Client Credentials / PKCE |
| Access to userinfo: | ✓ | ✓ |
| Can introspect tokens: | ✗ | ✓ |
Since a client is intended to access protected resources with authorization, it must be properly configured. This means a client has at least the following properties:
access_tokens are obtained by clients and used to access protected resources.
Physical applications may run in different environments.
For example, a Single Page Application runs in a browser on an untrusted device,
while a server-side application runs on a trusted server within a controlled network segment.
In most cases, the context in which each application operates is different. Therefore, clients should be configured accordingly. To support this, we recommend creating a separate client for each physical application.
Written by: Albert Starreveld
IAM Architect / Cloud Architect / Founder @ Entrypage.io
Published on: 24-04-2025