I have registered client applications with APIs and they have given me a Client ID and a Secret. Sometimes I have to include my client ID to initiate the usage of this API. For example Azure AD.
But how is the client Secret used exactly? are they comparing my client ID and secret like a user/password combination? Or is the Client secret used to encrypt the call or just include a hash?
I have read through several Oauth and other docs and I haven't come across an explanation for this.
PS: I'm trying to build a express microservice and my other services want to talk to it with authentication without session. Thought of adopting the client/secret model for the other services but I have to implement it.
TIA for any explanations or leads!
CodePudding user response:
Client id and client secret are like a user name and password for your project.
When your project needs to exchange authorization codes it uses the secret to verify that it is in fact the client it says it is.
so a command like this exchanges the authorization code by sending the client id and client secrete for the application to the authorization server this way the server knows that the client is the client that it says it is because it knows the password.
curl -s \
--request POST \
--data "code=4/1AY0e-g7BhBt0QU9f5HTgNDGNR1GYtH12q4xvgL_D2Q34A&client_id=XXXX.apps.googleusercontent.com&client_secret=zYAoXDam3mqsdwabh3dQ3NTh&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code" \
https://accounts.google.com/o/oauth2/token