Menu
A bit of a beginner to OAUTH and wanted to ask if I understood something correctly. I'm using OWIN and C# and I setup the following scenario:
a user makes a request to my token endpoint, passing in a username/password with a grant_type of password. If the credentials are valid, then I create a JWT.
The user gets back a JWT, and then the client uses that token going forward for all requests
Any requests that require authorization I use the token's claims to ensure the user is allowed to make this request.
So where does the client_id and client_secret come into this? Is this just an extra layer of security to say "before you can even get a token, you need to pass me another set of credentials (id/secret) and only if those are valid, in addition to your username/password provided, can you get back a JWT?
Would like to understand who the two relate - Thanks so much!
275
Client Secret (OAuth 2.0 client_secret) is a secret used by the OAuth Client to Authenticate to the Authorization Server. The Client Secret is a secret known only to the OAuth Client and the Authorization Server. Client Secret must be sufficiently random to not be guessable.
The Client ID is a public identifier of your application. The Client Secret is confidential and should only be used to authenticate your application and make requests to LinkedIn's APIs.
OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.
Both client_id and client_secret are not used in the password flow. However, as you are probably aware, OAuth2 has other flows, suited for other scenarios.
Namely:
the authorization code flow used in web apps that authenticate users server side. The client_id is used in the initial redirect, the client_secret is used in the last step where the app exchanges the one time code for a token.
the client credentials flow used to authenticate applications rather than individual users
A concise reference of all various flows: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
109
There are two parties that need to be authenticated: the application and the user.
The application is authenticated with the ID and secret, possibly backed up by the callback URL, which should ensure that the recipient of the token is the right one.
The user is authenticated through the OAuth provider. It can use a username/password for it, or whatever the OAuth provider deems necessary. That token is used to allow the application to get the user data without knowing the username and password.
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
