4

Out of curiosity I would like to know why client_id and client_secret are required in 2-legged Authentication in OAuth 2.0?

I am using grant_type = password and sending username & password in the post method but in this I am getting error that Client credentials are not found in request body or header. When I pass client_id and client_secret I am able to get the access_token.

I am trying to understand that why client_id and client_secret are required for 2 Logged Authentication. I think this is the best place I can get answer to my confusion.

To be more specific I have a mobile application which communicates with a server over a web service API, and we are not having any 3rd party usage and that is the reason we are using 2-legged authentication but I am confused about the use of client_id and client_secret. Please excuse me if I am asking stupid question, but for me its a big confusion.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
Android Leo
  • 666
  • 1
  • 8
  • 24

2 Answers2

4

Client ID and Client Secret

When you register your app on third party you receive both of the above. Client ID is considered public, and is used to build login URLs. Client secret must be kept confidential. If a deployed app cannot keep the secret confidential, such as Javascript or native apps, then the secret is not used.

I have a perfect article for you : Oauth Simplified

Hope this removes your confusion!

Shreejibawa
  • 1,860
  • 1
  • 25
  • 35
  • Thank you for the answer. In my case our app does not have Sign with social media. We typically ask user to register using their phone or email and asked them to create their own password. You might think why we need OAuth in such case, we need to secure our web service api and that is why we are using OAuth 2.0 to make it secure so no one outside the world can access the api without having authorized token. Now my question is what is the use of client_id and client_secret in my case? Should I override this 2 things and only use username and password to generate authorized token? – Android Leo Feb 07 '15 at 08:17
  • 1
    You can use basic Auth or Digest Auth as alternative. you dont have to use OAuth. – Shreejibawa Feb 07 '15 at 08:30
0

Client authentication is not required in the so-called Resource Owner Password Credentials (ROPC) grant that you use, but it is optional. The specification allows for both confidential clients (i.e. clients with a secret) and public clients (i.e. clients without a client secret) as described in: https://www.rfc-editor.org/rfc/rfc6749#section-4.3.2. Apparently your Authorization Server is configured or hard-wired to require it.

If it is hard-wired, it may be due to a too strict interpretation of the spec, as explained in the answer here: Resource Owner Password Credentials Grant - Public Client

Community
  • 1
  • 1
Hans Z.
  • 50,496
  • 12
  • 102
  • 115