Menu
I am trying to understand some concepts in oauth and openid connect. To provide some context, let's say I am building a SPA (single page application) that talks to a bunch of microservices. A user needs to authenticate themselves (through the application) before they can access any data and the user will authenticate themselves on a trusted site.
Looking at oauth 2 and some of the suggested flows, Resource Owner Password Credentials Grant seems to be a fitting candidate.
+----------+
| Resource |
| Owner |
| |
+----------+
v
| Resource Owner
(A) Password Credentials
|
v
+---------+ +---------------+
| |>--(B)---- Resource Owner ------->| |
| | Password Credentials | Authorization |
| Client | | Server |
| |<--(C)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+---------+ +---------------+
Some articles I have read say you should send your client_id and client_secret to the authorization server with your payload (username, password ... etc) when requesting authorization. My question is, does this hold for SPA? Can't someone just inspect your javascript and see what your client_id and client_secret? Is there any point in sending this information?
868
Registered OAuth applications are assigned a unique Client ID ( client_id ) and unique Client Secret ( client_secret ). By sending the client_id and the client_secret , you are letting Sell API know which application is accessing the API. Only requests to the Authorization Server require client credentials.
Client Secret (OAuth 2.0 client_secret) is a secret used by the OAuth Client to Authenticate to the Authorization Server. The Client Secret is a secret known only to the OAuth Client and the Authorization Server. Client Secret must be sufficiently random to not be guessable.
API Key and Secret Key The Client Secret is confidential and should only be used to authenticate your application and make requests to LinkedIn's APIs. Both the Client ID and Client Secret are needed to confirm your application's identity and it is critical that you do not expose your Client Secret.
5. Single-page apps (also known as browser-based apps) run entirely in the browser after loading the JavaScript and HTML source code from a web page. Since the entire source is available to the browser, they cannot maintain the confidentiality of a client secret, so a secret is not used for these apps.
You're correct, a SPA on it's own cannot keep secrets or perform client authentication so there is no point in sending the client_secret.
In the OAuth2 world these clients are known as public clients or non-confidential clients in opposition to confidential clients which are able to perform client authentication, for example, a traditional server-side application that could keep a client secret in a secure way on the server-side.
Performing client authentication is not mandatory, however, you'll lose the ability to perform decisions based on knowing for sure the client identity.
150
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
