Application Types

BlueNexus uses OAuth 2.1, an open standard for secure authorization. It allows users to grant your app limited access to their resources without sharing credentials.

Here’s how it works in general:

  1. User Authentication: The user is redirected to the authorization server to log in.

  2. Authorization Grant: The user approves (or denies) your app’s access request.

  3. Token Exchange: Your app exchanges the authorization grant for an access token.

  4. API Access: Your app uses the access token to make authenticated API calls.

OAuth Application Types

All applications will use the Authorization Code Flow with PKCE (standard OAuth 2.1). The main difference is whether the application can securely store a client secret.

Application Type
Client Type
Secret
Example

SPA (React, Vue)

Public

Browser app

Mobile (iOS, Android)

Public

Native app

Desktop (Electron, CLI)

Public

Local app

Web Server

Confidential

Node.js, Flask

M2M / Service

Confidential

Worker, API client

Public clients

Public clients cannot safely store secrets (like a Client Secret). Their code runs in environments where users could inspect or modify it (e.g., browsers or mobile devices). They use PKCE to securely authenticate without a client secret.

These clients should not get a client secret and should never bundle a secret with their code/binaries.

Confidential Clients

Confidential clients can securely store credentials, and are therefore provided a Client Secret. They typically run on secure servers or within trusted environments.

Note that, as per OAuth specification, the secret is mandatory for confidential clients and will be required during the token exchange process.

Web Server Application

Examples: Node.js, Python Flask, Ruby on Rails, Java Spring apps

Web server apps handle OAuth flows on the backend, keeping secrets safe. They use the Authorization Code Flow with PKCE and store tokens securely on the server.

PreviousCreate an ApplicationNextUnderstanding Scopes

Last updated