Obtaining Client Secrets

The attacker could try to get access to the secret of a particular client in order to obtain tokens on behalf of the attacked client with the privileges of that 'client_id' acting as an instance of the client.

A malicious client can impersonate another client and obtain access to protected resources if the impersonated client fails to, or is unable to, keep its client credentials confidential.

OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 4.1.1)


This threat is considered fully mitigated if all the test cases from the following test set succeed.

Back to the threat overview