Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OAuth2 Server setup 'client_id' ad ''client_secret' for 'password' grant type

Tags:

android

ios

laravel

oauth-2.0

I'm fairly new to setting up an Oath2 server, and was hoping that someone could help me shed some light on a couple things.

This is the package that I am implementing:
https://github.com/lucadegasperi/oauth2-server-laravel

From what I've read about this package, Im pretty sure that the 'password' / 'Resource Ownner' grant_type is what I should be using for setting up a mobile app's API access much like a mobile banking app (sensitive data)

Referencing the OAuth2 spec:
https://www.rfc-editor.org/rfc/rfc6749#section-4.3

The OAth2 spec states that the client must already be authenticated, so there are 5 total parameters that must be passed to be granted an access token:

  • grant_type ('password')
  • username
  • password
  • client_id
  • client_secret

I have 2 questions regarding this:

  1. Are Android and IOS apps capable of keeping a 'client_id' and 'client_secret' confidential? ('client' being the app or device itself, not the user)
  2. Should 'client_id' and 'client_secret' be unique per device? (should i create a new controller for generating client_ids and client_secrets per device in a separate request, or use the same client_id and client_secret to be built into the apps.)

Ultimately, I'm trying to figure out best practices for getting records in the 'oath_clients' table and if those entries should be unique per device.

Thanks for you help!

like image 537
c-griffin Avatar asked Apr 03 '14 02:04

c-griffin

People also ask

What is the OAuth 2.0 password grant type?

The Password grant type is a way to exchange a user's credentials for an access token. Because the client application has to collect the user's password and send it to the authorization server, it is not recommended that this grant be used at all anymore.

What is client_id and client_secret?

Registered OAuth applications are assigned a unique Client ID ( client_id ) and unique Client Secret ( client_secret ). By sending the client_id and the client_secret , you are letting Sell API know which application is accessing the API. Only requests to the Authorization Server require client credentials.

Which OAuth 2.0 authorization grant type is used the most?

The Authorization Code Grant Type is probably the most common of the OAuth 2.0 grant types that you'll encounter. It is used by both web apps and native apps to get an access token after a user authorizes an app.

What is Client_credentials grant type?

The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user. This is typically used by clients to access resources about themselves rather than to access a user's resources. Client Credentials (oauth.com)

1 Answers

Whether all devices should share the same pair of client_id and client_secret or whether each device should have a different pair of client_id and client_secret is up to you. From a viewpoint of OAuth 2.0, there is no difference between them because OAuth 2.0 does not care about how each application instance obtains a pair of client_id and client_secret. You may

  1. embed a pair of client_id and client_secret in your application's source code, or
  2. let your application communicate with your server in order to be assigned a new pair of client_id and client_secret.

If you wanted to assign a different pair of client_id and client_secret to each device, the flow would be like the following.

  1. Your application connects to your server.
  2. Your application sends the device ID to your server.
  3. Your server receives the device ID.
  4. Your server generates a pair of client_id and client_secret.
  5. Your server sends the pair back to your application.
  6. Your application receives the pair.

If you want to identify a device by a client_id, you need to associate each client_id with each device. However, if you just want to know which device is accessing protected resources, it may be enough to require 'device_id' parameter or something similar when a client application accesses endpoints of protected resources. To be concrete:

GET /protected_resource?access_token=.....&device_id=.....

Finally, as for your first question. OAuth 2.0 does not think native applications can keep client credentials confidential. Below is an excerpt from "9. Native Applications".

Native applications that use the authorization code grant type
SHOULD do so without using client credentials, due to the native
application's inability to keep client credentials confidential.

like image 199
Takahiko Kawasaki Avatar answered Sep 24 '22 20:09

Takahiko Kawasaki
Sign in to Comment

Related questions

HttpClient missing from .Net portable subset while creating PCL in Xamarin
Encrypt data in Android with a RSA public.pem file generated in Ruby
Error: Attribute "title" has already been defined
How to check if AdView is visible?
Get random row from SQLite Database Android SDK
Gson. converting to JSON a password with the character =
Adding borderless buttons in Android xml with divider
Android | What is the difference between setOnClickListener and setOnTouchListener? [closed]
Load XML layout from server (android)
Does Unity's Social API need some plugins for Android?
Is there Any way To hold Volley request until the response Completed
Query using MockContentResolver leads to NullPointerException
visibility of variables in SQLiteOpenHelper android
AlertDialog with EditText with InputType email - Android
Wait for network connection
android:stackFromBottom="true" does not seem to work perfectly (reverse ListView with Adapter)
how to switch elements in an ArrayList
Difference between getResources(R.string.hello_world) and R.string.hello_world
New Android Application Project Can't Create Blank Activity
How to send my GPS location (Latitude,Longitude) in a query string?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!