The specific OAuth 2.0 grant type most appropriate and secure for a client-side mobile banking application initiating an OTP generation request is the Authorization Code Flow with Proof Key for Code Exchange (PKCE). OAuth 2.0 is an industry-standard protocol for authorization, allowing a client application to access protected resources on behalf of a user, without exposing the user's credentials to the client. A grant type defines the way an application obtains an access token, which is a credential used to access protected resources.
A client-side mobile banking application is considered a "public client" in OAuth 2.0 terminology. This is because, unlike "confidential clients" (like server-side applications), a mobile application runs on a device that cannot securely store a client secret. A client secret is a confidential string known only to the client and the authorization server, used to authenticate the client itself when requesting tokens. If a client secret were embedded in a mobile app, it could be easily extracted by reverse-engineering the app, compromising security.
The Authorization Code Flow is generally the most secure grant type, even without PKCE, because it involves an intermediary authorization code. Instead of the access token being directly exposed, the authorization server first issues a temporary, single-use authorization code to the client. The client then exchanges this code for an access token directly with the authorization server's token endpoint. This exchange is typically performed over a secure back-channel connection, making it less vulnerable to interception compared to direct token issuance.
However, for public clients like mobile applications, the standard Authorization Code Flow still has a vulnerability: if an attacker intercepts the authoriz....
Log in to view the answer
