Confidential and Public Applications

According to the OAuth 2.0 spec, applications can be classified as either confidential or public. The main difference relates to whether or not the application is able to hold credentials (such as a client ID and secret) securely.

When you create an application using the Dashboard, Auth0 will ask you what Auth0 application type you want to assign to the new application and use that information to determine whether the application is confidential or public.

To check whether your application is confidential or public, see View Application Type: Confidential or Public.

Confidential applications

Confidential applications can hold credentials in a secure way without exposing them to unauthorized parties. They require a trusted backend server to store the secret(s).

Grant types

Because they use a trusted backend server, confidential applications can use grant types that require them to authenticate by specifying their client ID and secret when calling the token endpoint.

The following are considered to be confidential applications:

ID Tokens

Because confidential applications are capable of holding secrets, you can have ID Tokens issued to them that have been signed in one of two ways:

  • Symmetrically, using their client secret (HS256)
  • Asymmetrically, using a private key (RS256)

Public applications

Public applications cannot hold credentials securely.

Grant types

Public applications can only use grant types that do not require the use of their client secret.

The following are public applications:

ID Tokens

Because public applications are unable to hold secrets, ID Tokens issued to them must be:

  • Signed asymmetrically using a private key (RS256)
  • Verified using the public key corresponding to the private key used to sign the token

Keep reading