2

I doing research about OAuth2. A lot of things are clear for me but I have 2 questions.

Question 1, client_id, and client_secret

With OAuth an client can be identified with the client_id and client_secret. But I cann't find the difference between these 2. I only found that the client_id is public and the client_secret is private.

I think it works like this but I'm not sure about it. *When there is an app called "GreatApp" which would to get data from the OAuth2 API. It registers by the API and it gets 2 id's one client_id which is the same for every individual installation of the GreatApp. And they get the client_secret which is unique for each individual installation of the GreatApp.

This means you can recognize the application which connects to the API with the client_id and you can recognize an individual phone or tablet by the client_secret.

Is this correct or am I wrong?

Second question: Different types of flows

There are more than one kind of flow used by OAuth2. I read a lot about this and watched some videos on YouTube. They explain 2 or 3 kinds but they don't say clearly the name of each flow. I Googled a lot but I can't find a clear explanation about what type of flows there are and which I should use in what situation. I found this documentation but this is Oracle-specific I think.**

Is there someone who can explain to me the flows and when I should use which flow?

Community
  • 1
  • 1
CodeNinja
  • 836
  • 1
  • 15
  • 38

1 Answers1

2

Client ids and secrets are used for confidential clients, meaning those that can keep a secret such as web applications that live on web servers. They are typically not used to register individual instances like mobile apps.

Which grant flow to use when I've described in this answer. HTH

Community
  • 1
  • 1
MvdD
  • 22,082
  • 8
  • 65
  • 93
  • I dont understand what you mean with "meaning those that can keep a secret such as web applications that live on web servers." Thanks for the flow anwer, i didn't found this. Is this answer Oauth specific or is this json web token specific? i thought Oauth had different flows and JWT is an token data format which dont have flows ? – CodeNinja Dec 11 '15 at 15:21
  • It means that you cannot store a secret on a mobile app or JavaScript application and keep it from the user. If you loose the client id and secret, any app can authenticate as your app. OAuth is an authentication framework, but typically uses JWT as the token format. – MvdD Dec 11 '15 at 18:43
  • Ah ok, now i understand. Normaly u use only client id's and secrets on a place which is not decompilable or accesable for an enduser. Thanks. – CodeNinja Dec 14 '15 at 09:08
  • Ah ok, now i understand. Normaly u use only client id's and secrets on a place which is not decompilable or accesable for an enduser. But now i still don't understand why you need 2 ids? why is only an secret not enough when you allways need to hilde both id's for the public. – CodeNinja Dec 14 '15 at 09:45
  • 1
    You should look at the client id and secret as the username and password for the application. The client id is not secret. – MvdD Dec 14 '15 at 18:17