What is the use of client_id and client_secret in 2-legged Authentication in OAuth 2.0

Question

Out of curiosity I would like to know why client_id and client_secret are required in 2-legged Authentication in OAuth 2.0?

I am using grant_type = password and sending username & password in the post method but in this I am getting error that Client credentials are not found in request body or header. When I pass client_id and client_secret I am able to get the access_token.

I am trying to understand that why client_id and client_secret are required for 2 Logged Authentication. I think this is the best place I can get answer to my confusion.

To be more specific I have a mobile application which communicates with a server over a web service API, and we are not having any 3rd party usage and that is the reason we are using 2-legged authentication but I am confused about the use of client_id and client_secret. Please excuse me if I am asking stupid question, but for me its a big confusion.

Answer 1

Client authentication is not required in the so-called Resource Owner Password Credentials (ROPC) grant that you use, but it is optional. The specification allows for both confidential clients (i.e. clients with a secret) and public clients (i.e. clients without a client secret) as described in: https://www.rfc-editor.org/rfc/rfc6749#section-4.3.2. Apparently your Authorization Server is configured or hard-wired to require it.

If it is hard-wired, it may be due to a too strict interpretation of the spec, as explained in the answer here: Resource Owner Password Credentials Grant - Public Client

Answer 2

Client ID and Client Secret

When you register your app on third party you receive both of the above. Client ID is considered public, and is used to build login URLs. Client secret must be kept confidential. If a deployed app cannot keep the secret confidential, such as Javascript or native apps, then the secret is not used.

I have a perfect article for you : Oauth Simplified

Hope this removes your confusion!