Reputation: 6020
What is the purpose of the password grant type (ROPC) in OAuth2?
As I know for clients that are ours (mobile applications) we can use password grant type that authorizes client using client_id, client_secret and user's username and password.
I wanted to know what is the advantage of using client_secret over sending username and password without client_secret?
When we use client_secret and someone just decompiles the Android application and obtains the client_secret what's the benefit of having it in the first place?
Upvotes: 3
Views: 1299
Answers (1)
Reputation: 57718
You have there a couple of questions so lets taken them one by one.
What is the purpose of password grant type (ROPC) in OAuth2?
The big objective of this grant type is to provide a seamless migration to OAuth 2.0 for application that were storing the username and password of the end-users as a way to access other resources on their behalf. Storing user passwords is a big no no, so having a quick migration step is one good way to ensure developers will move to OAuth 2.0.
... what is the advantage of using
client_secretover sending username and password withoutclient_secret?
The username and password serves the purpose of authenticating the end-user; that is, to be sure that the request comes from the user with a specific identity. The client secret, has a similar purpose, it's used to authenticate the client application itself.
The advantage is that you can trust that the request is being issued from a known and trusted client. Mostly useful if being able to securely differentiate between more than one client is a requirement.
In relation to using a client secret in a native application that someone can just decompile and get the secret, you're correct in considering this worthless because you can't trust that type of client authentication.
However, OAuth2 only requires the client secret to be used for confidential clients, which is not the case for a native application incapable of securely maintaining a client secret. In this case you perform ROPC without client credentials/secret.
This possibility is illustrated in the example tutorial from Auth0 about how you can perform a ROPC grant type request. As you can see in the following snippet it does make use of the client secret parameter as it assumes this is a non-confidential client:
var options = { method: 'POST',
url: 'https://YOUR_AUTH0_DOMAIN/oauth/token',
headers: { 'content-type': 'application/json' },
body:
{ grant_type: 'password',
username: '[email protected]',
password: 'pwd',
audience: 'https://someapi.com/api',
scope: 'read:sample',
client_id: 'XyD....23S' },
json: true };
Upvotes: 4
Related Questions
- What is the purpose of authorization code in OAuth
- About OAuth2 grant types
- What is the purpose of the implicit grant authorization type in OAuth 2?
- Why do we need to pass grant_type from client application in oauth protocol?
- What is the purpose of grant_type parameter in OAuth 2 Authentication
- OAuth2 Client Credential flow - What is the purpose of getting an access token?
- What is the purpose of Resource Owner Password Credential Grant Type in OAuth 2.0?
- Why does OAuth 2 have Resource Owner Password Credentials Grant?
- Why does OAuth2 support grant_type=password?
- why authorization code is necessary in authorization-grant-type