IdentityServer3 - Client and Secret

Question

I am going through some tutorials to see if I can use IdentityServer3 issue/handle tokens to be used in authorizing access to some Web Api endpoints.

One of the concepts I am not quite understanding is the Client and Secret. When using OAuth in previous projects I never had to pass along a client or secret value in the header. I only passed the grant_type, username, and password. Yet IdentityServer seems to expect a client and a secret along with grant_type, username, and password.

Why is a client necessary? Shouldn't the IdentityServer just pass back a bearer token regardless of the type of client? Also, what is the purpose of the secret parameter? Is this used to create the signature of the JWT token?

Answer 1

client_id and client_secret are a part of the OAuth spec, not implementation specific to Identity Server. They are part of the client registration, which I like to think of as an access control list, checking to see if the requesting party is authorized to receive access tokens using the requested flow and scopes.

Unregistered clients are supported in the OAuth spec but I've yet to encounter one.

From the sounds of it you have been using the ResourceOwner flow which requires a grant_type of password, client_id, client_secret, multiple scope's, username and password.

client_id and client_secret can also be base64 encoded and passed sent in the Authorization header using the Basic scheme.

The secret is not used for JWT validation, it is only used to verify the incoming client.