Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does Oauth 2.0 need consumer key/consumer secret

Tags:

rest

authentication

oauth

oauth-2.0

api

So evidently when using OAuth 1.0 you need to acquire consumer key and consumer secret from the API provider...

But then when I try to use OAuth 2.0 APIs such as Facebook, Google Oauth 2.0, etc I never needed to acquire consumer key/consumer secret (I acquired App ID and App secret for Facebook, but those are different from consumer key/consumer secret am I correct?)

So my question is...is it true that when using Oauth 2.0, you don't need to have a consumer key/consumer secret as in Oauth 1.0

Also there are no signature methods (HMAC-SHA1 etc) necessary for Oauth 2.0, is that correct? HMAC-SHA1 is only relevant for Oauth 1.0, correct?

like image 276
pillarOfLight Avatar asked Jul 31 '12 16:07

pillarOfLight

People also ask

Is client secret mandatory in oauth2?

Client secret is not needed because the access token is used by the resource server. However, the client secret is used by the authorization server to authenticate the client. If the client has the access token, that means it is already authenticated. Please refer section 7.

What is consumer key and consumer secret in OAuth?

OAuth includes a Consumer Key and matching Consumer Secret that together authenticate the Consumer (as opposed to the User) to the Service Provider. Consumer-specific identification allows the Service Provider to vary access levels to Consumers (such as un-throttled access to resources).

How does OAuth 2.0 authentication work?

It works by delegating user authentication to the service that hosts a user account and authorizing third-party applications to access that user account. OAuth 2 provides authorization flows for web and desktop applications, as well as mobile devices.

Is client secret necessary?

Client SecretIt is essential the application's own password. It must be sufficiently random to not be guessable, which means you should avoid using common UUID libraries which often take into account the timestamp or MAC address of the server generating it.

2 Answers

  1. OAuth 2 providers typically issue you an identifier for your client/app and some secret/password, the OAuth draft calls these client identifier and client secret. These are used to check if a call was really issued by your application. However, OAuth covers different Authorization Grant flows which are more or less secure and do not all require some kind of secret. Google calls them client ID and client secret, Facebook calls them App ID and App Secret, but they are both the same.
  2. Yes, all cryptographic steps were moved to server side in OAuth 2.
like image 155
Jan Gerlinger Avatar answered Oct 04 '22 20:10

Jan Gerlinger

The authorization grant flow that you are referring to is known as the Client Credentials Grant flow in the OAuth 2 specification. It is used to do application-only authentication. Meaning that no user is involved. A typical example is the display of a twitter feed on a home page.

Normally the application passes both consumer key (or app ID) and consumer secret (or app secret) over HTTPS to the server. This request is only protected by HTTPS; there is no additional encryption. The server returns a token that you can use from that point on to make requests to the API - given it does not require a user context.

The consumer key (or app ID) identifies your application and may have a meaningful value. You normally don't (or can't) change this anymore. The consumer secret however can be regenerated in case you believe it has been compromised. This explains why there are two keys.

Regenerating the consumer secret is different from invalidating the token which won't help you if the consumer key and consumer secret have been compromised.

like image 42
Frank Avatar answered Oct 04 '22 18:10

Frank
Sign in to Comment

Related questions

Equivalent of define-fun in Z3 API
When not to use REST APIs? [closed]
What is the best HTTP status code for blocked user profile in rails api?
EXI (efficient XML interchange) coming... Are XML APIs ready?
Developing Chat API like that of Stackoverflow [closed]
Java CVS library [closed]
Trello API: determine when a card changed lists?
Angular 6 ResponseContentType
How to send api key in Header @ Postman?
Why is it said that WinRT replaces the Windows API
How to select destination output device using Web Audio Api
WordNet Java API [closed]
How to use Ansible 2.0 Python API to run a Playbook?
Still possible to use Google Calendar API with API Key?
How to Protect a private REST API
Facebook Graph API PHP SDK posting on page as page
Android 4.0 - API Level 14 vs Google APIs (Google Inc.) - API Level 14: What is the difference?
how do you access a jenkins api which uses Github OAuth using CURL
How can I create a language independent library using Python?
How to get client secret via Keycloak API?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!