Security Considerations

4.5

The authorization code grant is designed for clients which can protect their client ID and secret. As such, it is most appropriate for web apps running on a server which does not make its source code available.

If an app wants to use the authorization code grant but can’t protect its secret (i.e. native mobile apps), then the client secret is not required when making a request to exchange the auth code for an access token. However, some services will not accept the authorization code exchange without the client secret, so native apps might need to use an alternate method for those services.

While the OAuth 2.0 spec does not specifically require that redirect URLs use TLS encryption, it is highly recommended. The only reason it is not required is because deploying an SSL website is still somewhat of a hurdle for many developers. Some APIs do require https for their redirect endpoints, but many still do not.