Geek Answers Handbook

Client_id and client_secret overview

A little new to OAUTH and wanted to ask if I understood something correctly. I use OWIN and C # and I am setting up the following script:

  • the user makes a request to my token endpoint, passing in a username / password of type grant_type. If the credentials are valid, I create a JWT.

  • The user returns a JWT, and then the client uses this token for all requests

  • Any requests that require authorization, I use token requests to ensure that the user is allowed to make this request.

So what are client_id and client_secret? Is this just an additional level of security to say "before you can even get the token, you need to give me another set of credentials (id / secret), and only if they are valid, in addition to your username and password, you will return jwt?

I would like to understand who are connected with each other - Thank you very much!

+6
source share
2 answers

Both client_id and client_secret are not used in the password stream. However, as you probably know, OAuth2 has other threads suitable for other scenarios.

Namely:

  • authorization flow used in web applications that authenticate the server side of users. Client_id is used in the initial redirection, client_secret is used in the last step, when the application exchanges one time code for the token.

  • client credential stream used to authenticate applications, not individual users

A quick reference to all the various threads: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified

+3
source

There are two sides that need to be authenticated: the application and the user.

The application authenticates with an identifier and a secret, possibly backed by a callback URL, which should ensure that the token recipient is correct.

The user authenticates through the OAuth provider. It can use a username / password or what the OAuth provider thinks. This token is used so that the application can receive user data without knowing the username and password.

0
source

More articles:


All Articles