A bit of a beginner to OAUTH and wanted to ask if I understood something correctly. I'm using OWIN and C# and I setup the following scenario: <ol> <li>a user makes a request to my token endpoint, passing in a username/password with a grant_type of password. If the credentials are valid, then I create a JWT.</li> <li>The user gets back a JWT, and then the client uses that token going forward for all requests</li> <li>Any requests that require authorization I use the token's claims to ensure the user is allowed to make this request.</li> </ol> So where does the client_id and client_secret come into this? Is this just an extra layer of security to say "before you can even get a token, you need to pass me another set of credentials (id/secret) and only if those are valid, in addition to your username/password provided, can you get back a JWT? Would like to understand who the two relate - Thanks so much!

Both client_id and client_secret are not used in the password flow. However, as you are probably aware, OAuth2 has other flows, suited for other scenarios. Namely: <ul> <li>the authorization code flow used in web apps that authenticate users server side. The client_id is used in the initial redirect, the client_secret is used in the last step where the app exchanges the one time code for a token.</li> <li>the client credentials flow used to authenticate applications rather than individual users</li> </ul> A concise reference of all various flows: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified

There are two parties that need to be authenticated: the application and the user. The application is authenticated with the ID and secret, possibly backed up by the callback URL, which should ensure that the recipient of the token is the right one. The user is authenticated through the OAuth provider. It can use a username/password for it, or whatever the OAuth provider deems necessary. That token is used to allow the application to get the user data without knowing the username and password.

Understanding client_id and client

A bit of a beginner to OAUTH and wanted to ask if I understood something correctly. I'm using OWIN and C# and I setup the following scenario:

a user makes a request to my token endpoint, passing in a username/password with a grant_type of password. If the credentials are valid, then I create a JWT.
The user gets back a JWT, and then the client uses that token going forward for all requests
Any requests that require authorization I use the token's claims to ensure the user is allowed to make this request.

So where does the client_id and client_secret come into this? Is this just an extra layer of security to say "before you can even get a token, you need to pass me another set of credentials (id/secret) and only if those are valid, in addition to your username/password provided, can you get back a JWT?

Would like to understand who the two relate - Thanks so much!

What is client_secret used for?

Client Secret (OAuth 2.0 client_secret) is a secret used by the OAuth Client to Authenticate to the Authorization Server. The Client Secret is a secret known only to the OAuth Client and the Authorization Server. Client Secret must be sufficiently random to not be guessable.

How does client ID secret work?

The Client ID is a public identifier of your application. The Client Secret is confidential and should only be used to authenticate your application and make requests to LinkedIn's APIs.

What is oauth2 and how it works?

OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.

Both client_id and client_secret are not used in the password flow. However, as you are probably aware, OAuth2 has other flows, suited for other scenarios.

Namely:

the authorization code flow used in web apps that authenticate users server side. The client_id is used in the initial redirect, the client_secret is used in the last step where the app exchanges the one time code for a token.
the client credentials flow used to authenticate applications rather than individual users

A concise reference of all various flows: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified

There are two parties that need to be authenticated: the application and the user.

The application is authenticated with the ID and secret, possibly backed up by the callback URL, which should ensure that the recipient of the token is the right one.

The user is authenticated through the OAuth provider. It can use a username/password for it, or whatever the OAuth provider deems necessary. That token is used to allow the application to get the user data without knowing the username and password.

Understanding client_id and client_secret

Tags:

oauth

oauth-2.0

owin

NullHypothesis

People also ask

Video Answer

2 Answers

Wiktor Zychla

Patrick Hofman

Recent Activity

Donate For Us