'Understanding client_id and client_secret

A bit of a beginner to OAUTH and wanted to ask if I understood something correctly. I'm using OWIN and C# and I setup the following scenario:

  1. a user makes a request to my token endpoint, passing in a username/password with a grant_type of password. If the credentials are valid, then I create a JWT.

  2. The user gets back a JWT, and then the client uses that token going forward for all requests

  3. Any requests that require authorization I use the token's claims to ensure the user is allowed to make this request.

So where does the client_id and client_secret come into this? Is this just an extra layer of security to say "before you can even get a token, you need to pass me another set of credentials (id/secret) and only if those are valid, in addition to your username/password provided, can you get back a JWT?

Would like to understand who the two relate - Thanks so much!

oauthoauth-2.0owin


Solution 1:[1]

There are two parties that need to be authenticated: the application and the user.

The application is authenticated with the ID and secret, possibly backed up by the callback URL, which should ensure that the recipient of the token is the right one.

The user is authenticated through the OAuth provider. It can use a username/password for it, or whatever the OAuth provider deems necessary. That token is used to allow the application to get the user data without knowing the username and password.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Patrick Hofman

Related Questions

No authentication handler is registered for the scheme 'Cookies'. The registered schemes are: Application, Bearer, ASOS

Modern Oauth2 authentication for sending mails using Nodemailer nodejs

Spring Security: How to use a UserDetailsService with JwtAuthenticationProvider?

How do I validate a JWT using JwtSecurityTokenHandler and a JWKS endpoint?

Change the preferred_username in token for client credential grant flow

How to convert guild.permissions number into an array of persmissions discord.js oauth2

how to config apache jmeter 2.6 oauth 2.0

oauth-private.key does not exist or is not readable

ASP.NET Web API Google OAuth keep return "Access Denied"

Java - OAuth 2 using restTemplate to get login with refresh token (StackOverFlowError)

AWS Cognito; unauthorized_client error when hitting /oauth2/token

AWS Cognito; unauthorized_client error when hitting /oauth2/token

Salesforce OAuth User Agent Flow: obtain refresh token with

JWT "invalid_grant" in Signature in Google OAuth2

"Full authentication is required to access this resource" on spring oauth2 authorization server on /oauth/token request