OAuth 2.0: client_id and client_secret to be send only in initial request for authorization?

1
votes

Should a OAuth 2.0 Client send his client_id and client_secret only at his initial request for authorization? Or at every request he sends to the Authorization/Resource-Server? Thanks in advance!

@Edit 1: We try to implement the 'Resource Owner Password Credentials'-Flow.

@Edit 2: My guess is that you dont need to send it after you aquired the Access Token. Cause when you already have the access token, the client sends his request directly to the Resource Server. But if you need a refresh token and request one from the Authorization Server, then you need to send client_id and client_secret too. Or am i mistaken?

1
securityoauth-2.0
Your edit 2 is correctAlex83690

1 Answers

0
votes

It all depends on what you want to do with oauth (the flow you use).

You should refer to the flows described here : https://www.rfc-editor.org/rfc/rfc6749

The client_id is required when you redirect to the authorization endpoint of the authorization server. The secret is used when you exchange an authorization code with the authorization server. Then you should send your access token at every request of your client with your resource server (api) using the header "authorization"