Reputation: 63
OAuth 2.0: client_id and client_secret to be send only in initial request for authorization?
Should a OAuth 2.0 Client send his client_id and client_secret only at his initial request for authorization? Or at every request he sends to the Authorization/Resource-Server? Thanks in advance!
@Edit 1: We try to implement the 'Resource Owner Password Credentials'-Flow.
@Edit 2: My guess is that you dont need to send it after you aquired the Access Token. Cause when you already have the access token, the client sends his request directly to the Resource Server. But if you need a refresh token and request one from the Authorization Server, then you need to send client_id and client_secret too. Or am i mistaken?
Upvotes: 0
Views: 698
Answers (1)
Reputation: 817
It all depends on what you want to do with oauth (the flow you use).
You should refer to the flows described here : https://www.rfc-editor.org/rfc/rfc6749
The client_id is required when you redirect to the authorization endpoint of the authorization server. The secret is used when you exchange an authorization code with the authorization server. Then you should send your access token at every request of your client with your resource server (api) using the header "authorization"
Upvotes: 1
Related Questions
- client secret in OAuth 2.0
- OAuth2 Password Grant Type with Client_Id & Client_Secret
- OAuth 2.0 Implicit Grant Flow - clientId and accessToken exposure security
- Oauth2.0 Authorization Code Grant ClientId & Secret Confusion
- Is Oauth2 authorization code bound with the client id?
- OAuth2 Sending Client secret in authorization step
- Handling the OAuth2 Client Credentials flow
- Understanding the need of client id, client secret in oauth 2.0
- What is the use of client_id and client_secret in 2-legged Authentication in OAuth 2.0
- OAuth 2.0 how to encrypt client id and secret