Why is the Client Secret required, but then not really if you just use the javascript client.
This isn't logical. Can someone please explain to me, why the secret is required when making the REST call directly?
The javascript api doesn't require "client secret":
WL.init({
client_id: APP_CLIENT_ID,
redirect_uri: REDIRECT_URL,
scope: "wl.signin",
response_type: "token"
});
But if you want to make the REST call directly it's needed:
POST https://login.live.com/oauth20_token.srf
Content-type: application/x-www-form-urlencoded
client_id=CLIENT_ID&redirect_uri=REDIRECT_URL&client_secret=CLIENT_SECRET&code=AUTHORIZATION_CODE&grant_type=authorization_code
Code from: http://msdn.microsoft.com/en-us/library/hh243641.aspx
I am assuming that client secret is a security feature, if so why is the connection through the js API can be made with fewer security constraints than direct connection to the service? So it looks like "optionally required" depending on context which makes it an oxymoron to me, but may be I missed something.
Probably because the server side code offers you more access such as:
Required. Specifies the scopes to which the user who is signing in consents. For a single scope, use this format: scope: "wl.signin". For multiple scopes, use this format: scope: ["wl.signin", "wl.basic"]. If no scope is provided, the scope value of WL.init is used. If no scope is provided in WL.init or WL.login, WL.login returns an error. Note WL.login can request the "wl.offline_access" scope, but it requires a server-side implementation, and the WL.init function must set its response_type property to "code".
Basically the client secret gives you higher security clearance so you can access extra stuff that you can't do otherwise.
Note: You may be able to get around this limitation by provisioning your app as desktop/mobile app at your live sdk dashboard.