How to create a client_secret for IdentityServer4?

Question

I am creating an Authentication Server using IdentityServer4.

I am creating a client that will be accessed using Resource Owner Password Credentials.

But I am wondering what should be the client_id and client_secret.

Should the client_id be a human-readable name of the client for e.g. app name or it should be a random number or string?

The client_secret is a string but what should be its value? A UUID? a random string? base64 string?

I went through IdentityServer4 and OpenId documentation but could not find any guidance.

Here's the example they have provided in their docs.

new Client
{
    ClientId = "client",

    // no interactive user, use the clientid/secret for authentication
    AllowedGrantTypes = GrantTypes.ClientCredentials,

    // secret for authentication
    ClientSecrets =
    {
        new Secret("secret".Sha256())
    },

    // scopes that client has access to
    AllowedScopes = { "api1" }
}

As you can see in the example, they have set up a human-friendly client_id.

Answer 1

• client_id: is a public identifier for each client. It must be unique across all clients that the authorization server handles. It is public but better not to be guessable by third parties. Examples:

Github: 6779ef20e75817b79602
Google: 292085223830.apps.googleusercontent.com
Instagram: f2a1ed52710d4533bde25be6da03b6e3
Windows Live: 00000000400ECB04

• client_secret: is just known by client and authorization server. It must be random to not be guessable. Best way to generate is to use a cryptographically secure libraries. You should avoid using common UUID libraries.

Read more about secrets for IdentityServer4 here