Store client secret securely

Question

I know that a public client shouldn\'t use a client secret because, no matter how much you obfuscate it, it won\'t be protected from reverse engineering.

But, the

Answer 1

@Semih's answer was on the right track. The secret key part is what needs to be expanded upon.

1. The secret key is between the application and the gateway server not to the underlying services.
2. The gateway server is responsible for converting that key to something specific for the services.

The secret key is built using the following after the login process is complete

1. the server generates a key pair specific for the client logging in.
2. The server's public key is sent for encryption specific for the client logging in
3. the app will generate a key pair for it's own purposes
4. the app will send the public key encrypted with the server's public key
5. the server will validate the public key is signed with their public key.

Any future requests would involve the following

All data being sent from client to the server would be encrypted using JWT the message would be signed by the app's private key and encrypted using the server's public key.

The problem is securing #1 anyone can login and get the process started, so how would you prevent that? The only way I can think of is to do a CAPTCHA check on the login.

The solution pushes the storage of the client secrets to the server rather than on the app itself and protecting it using the app's credentials.