App client secret in moblie app?

[eerimoq]

Is it safe to store the client secret in a mobile app, essentially leaking it? If not, how do a user login from an app directly to Kick?

[ACPixel]

Generally, it is not safe to store secrets in a mobile app because they can be extracted.

Currently, the Kick OAuth system only supports the Authorization Grant flow, which requires a secret. To securely implement this in a mobile app, you would need the user to authenticate in an in-app browser using OAuth with your own server.

In the future, I anticipate that Kick will add other OAuth flow types that do not require a secret, such as the Implicit Grant flow.

However, for now, if you want to authenticate with a mobile app without leaking your client secret, you will have to use your own server as an intermediary.

[eerimoq]

Thanks, but why do the docs link to OAuth 2.0 Code Grant flow with PKCE, which describes how to authenticate without a client secret as I understand it?

[ACPixel]

That link is worded in an obnoxiously confusing way haha. But it is describing the code flow which requires a secret.

The top few points there are just it telling you situations that the flow is not designed for.

[eerimoq]

You sure about that? Looks like the Authorization Code Flow is the one with a secret.

But what do I know. Authentication is confusing =)

[ACPixel]

Authentication is indeed confusing. The docs link to the Authorization Code Flow, with PKCE which is ultimately just an extra layer of security to make sure the same system started and ended the oauth request to my understanding.

The only flows that doesn't require a secret to my knowledge are "implicit" grant flows.

(definitely could be wrong here but I've been doing OAuth for about 10 years now so at this point I'd hope I know what I'm talking about maybe lol)

[eerimoq]

Haha yeah for Twitch my app uses the implicit grant flow