OAuth2 Server setup 'client_id' ad ''client_secret' for 'password' grant type

5
votes

I'm fairly new to setting up an Oath2 server, and was hoping that someone could help me shed some light on a couple things.

This is the package that I am implementing:
https://github.com/lucadegasperi/oauth2-server-laravel

From what I've read about this package, Im pretty sure that the 'password' / 'Resource Ownner' grant_type is what I should be using for setting up a mobile app's API access much like a mobile banking app (sensitive data)

Referencing the OAuth2 spec:
http://tools.ietf.org/html/rfc6749#section-4.3

The OAth2 spec states that the client must already be authenticated, so there are 5 total parameters that must be passed to be granted an access token:
- grant_type ('password')
- username
- password
- client_id
- client_secret

I have 2 questions regarding this:

  1. Are Android and IOS apps capable of keeping a 'client_id' and 'client_secret' confidential? ('client' being the app or device itself, not the user)
  2. Should 'client_id' and 'client_secret' be unique per device? (should i create a new controller for generating client_ids and client_secrets per device in a separate request, or use the same client_id and client_secret to be built into the apps.)

Ultimately, I'm trying to figure out best practices for getting records in the 'oath_clients' table and if those entries should be unique per device.

Thanks for you help!

1
androidioslaraveloauth-2.0

1 Answers

8
votes

Whether all devices should share the same pair of client_id and client_secret or whether each device should have a different pair of client_id and client_secret is up to you. From a viewpoint of OAuth 2.0, there is no difference between them because OAuth 2.0 does not care about how each application instance obtains a pair of client_id and client_secret. You may

  1. embed a pair of client_id and client_secret in your application's source code, or
  2. let your application communicate with your server in order to be assigned a new pair of client_id and client_secret.

If you wanted to assign a different pair of client_id and client_secret to each device, the flow would be like the following.

  1. Your application connects to your server.
  2. Your application sends the device ID to your server.
  3. Your server receives the device ID.
  4. Your server generates a pair of client_id and client_secret.
  5. Your server sends the pair back to your application.
  6. Your application receives the pair.

If you want to identify a device by a client_id, you need to associate each client_id with each device. However, if you just want to know which device is accessing protected resources, it may be enough to require 'device_id' parameter or something similar when a client application accesses endpoints of protected resources. To be concrete:

GET /protected_resource?access_token=.....&device_id=.....

Finally, as for your first question. OAuth 2.0 does not think native applications can keep client credentials confidential. Below is an excerpt from "9. Native Applications".

Native applications that use the authorization code grant type
SHOULD do so without using client credentials, due to the native
application's inability to keep client credentials confidential.