Understanding client_id and client_secret

19
votes

A bit of a beginner to OAUTH and wanted to ask if I understood something correctly. I'm using OWIN and C# and I setup the following scenario:

  1. a user makes a request to my token endpoint, passing in a username/password with a grant_type of password. If the credentials are valid, then I create a JWT.

  2. The user gets back a JWT, and then the client uses that token going forward for all requests

  3. Any requests that require authorization I use the token's claims to ensure the user is allowed to make this request.

So where does the client_id and client_secret come into this? Is this just an extra layer of security to say "before you can even get a token, you need to pass me another set of credentials (id/secret) and only if those are valid, in addition to your username/password provided, can you get back a JWT?

Would like to understand who the two relate - Thanks so much!

2
oauthoauth-2.0owin
Those are used on validation of the token to make sure both sides match. Kind of like when you use a google maps api key. One is created on their side for you when you register and you get the same key that you will pass in on each request. - Stephen Brickner

2 Answers

8
votes

Both client_id and client_secret are not used in the password flow. However, as you are probably aware, OAuth2 has other flows, suited for other scenarios.

Namely:

  • the authorization code flow used in web apps that authenticate users server side. The client_id is used in the initial redirect, the client_secret is used in the last step where the app exchanges the one time code for a token.

  • the client credentials flow used to authenticate applications rather than individual users

A concise reference of all various flows: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified

4
votes

There are two parties that need to be authenticated: the application and the user.

The application is authenticated with the ID and secret, possibly backed up by the callback URL, which should ensure that the recipient of the token is the right one.

The user is authenticated through the OAuth provider. It can use a username/password for it, or whatever the OAuth provider deems necessary. That token is used to allow the application to get the user data without knowing the username and password.