Mike
Reputation: 663
Why do I need a client id for OAuth2 password grant flow?
Example:
POST /oauth/token HTTP/1.1
Host: authorization-server.com
Content-type: application/x-www-form-urlencoded
grant_type=password
&username=exampleuser
&password=1234luggage
&client_id=xxxxxxxxxx
Why do I need a client id for OAuth2 password grant flow? Why is username and password not enough?
Upvotes: 2
Views: 816
Answers (1)
Takahiko Kawasaki
Reputation: 18991
The token endpoint will issue an access token. The access token denotes "Who grants what permissions to whom."
- Who here is the user who is identified by
username. - what permissions here are scopes listed in a
scoperequest parameter (although your example does not include thescoperequest parameter). - whom here is a client application.
For the authorization server to know whom (i.e. a client application), you need to include a client_id request parameter.
Upvotes: 3
Related Questions
- OAuth2 Password Grant Type with Client_Id & Client_Secret
- OAuth2 Client Credential flow - What is the purpose of getting an access token?
- Oauth2.0 Authorization Code Grant ClientId & Secret Confusion
- OAuth2: What exactly is the "client"
- Why does Authorization Request not require client secret in OAuth2 Authorization Code Grant Flow?
- Understanding OpenId Connect client_credentials grant in terms of identity
- Understanding the need of client id, client secret in oauth 2.0
- Are Client Credentials optional in the oAuth2 Resource Owner Password Credentials Grant flow?
- What is the use of client_id and client_secret in 2-legged Authentication in OAuth 2.0
- OAuth 2 - What is the difference between 'Username and Password Flow' vs 'Client Credential Flow'