In the User Agent Flow, when Access Token response is returned, it contains signature. Does anybody know how is it validated by the Mobile App? SF documentation states the following; Signature:“Base64-encoded HMAC-SHA256 signature signed with the client_secret. The signature can include the concatenated ID and issued_at value, which you can use to verify that the identity URL hasn’t changed since the server sent it.” The Mobile App doesn’t have the client_secret value so it’s a bit confusing. Thanks
@Samuel Rosen thanks. So if we were to build a Native or React Native mobile app, it would be always considered as a public client, right. Or what would be an example of non-public client? When you say ship the Client Secret with the mobile app, where would it be stored, on the mobile device itself? Smart Store storage is volatile if I'm not mistaken which mean it wouldn't work for storing the Client Secret.
