A bit of a beginner to OAUTH and wanted to ask if I understood something correctly. I'm using OWIN and C# and I setup the following scenario:
a user makes a request to my token endpoint, passing in a username/password with a grant_type of password. If the credentials are valid, then I create a JWT.
The user gets back a JWT, and then the client uses that token going forward for all requests
Any requests that require authorization I use the token's claims to ensure the user is allowed to make this request.
So where does the client_id and client_secret come into this? Is this just an extra layer of security to say "before you can even get a token, you need to pass me another set of credentials (id/secret) and only if those are valid, in addition to your username/password provided, can you get back a JWT?
Would like to understand who the two relate - Thanks so much!
Both client_id and client_secret are not used in the password flow. However, as you are probably aware, OAuth2 has other flows, suited for other scenarios.
Namely:
the authorization code flow used in web apps that authenticate users server side. The client_id is used in the initial redirect, the client_secret is used in the last step where the app exchanges the one time code for a token.
the client credentials flow used to authenticate applications rather than individual users
A concise reference of all various flows: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified