Hello,
In our project it was agreed to use single client configuration (public) for both frontend application running in the browser and few backend applications.
It is known that it breaks boundaries of OAuth2 Client and OAuth2 Resource Server.
But it is said that just for users and roles (no Resource Authorisation) it is fine.
Could you give me any example when this scenario is unsafe?
Thanks!
Artur
Here’s a nice explanation from @stianst:
I would strongly recommend against this for several reasons.
The different applications will have different URLs, and redirect-uris/web-origins should be as specific as possible. Applications will need different things stuffed into the tokens (they access different services, need different information about the user, etc.). Users also want to be able to view what applications they are using, not an aggregate of all applications.
I can write many more reasons why not to do this, but end of the day it is just pure lazy and should not be done.