OAuth 2 Client

OAuth 2 Client is an application making protected resource requests on behalf of the resource owner and with its authorization.

Client Registration

Before initiating the authorization process, the client registers with the authorization server. As a result of a registration client acquires required credentials, such as client identifier and client password (optional).

Essential Client Data

Client identifier - a unique to the authorization server string representing the registration information provided by the client.

Authentication method - the method for the client authentication. Can be set to one of the following:

  • none - client do not need to authenticate;

  • client_secret_basic - password should be send in the request header;

  • client_secret_post - password should be send in the request body;

  • private_key_jwt - signed by the client JWT should be send.

Client password - the secret for client authentication. Required when authentication method is client_secret_basic or client_secret_post.

JWKs URL - the URL with client public keys. Required for private_key_jwt authentication method and used for validate client JWT.

Redirect URLs - allowed callbacks for authorization requests. Multiple URLs can be set and one of them should be used when constructing authorization request.

Scopes - allowed scopes of the access. While the client has all allowed scopes, authorization requests could have any combination of them.

Response types - allowed response types. They can be:

  • implicit - authorization server issuing Access Token after authorization process;

  • authorization code - authorization server issuing authorization code which can be exchanged for Access Token via separate request.

Implicit flow doesn't support Refresh Tokens and generally is not recommended due to security reasons.

Grant types - allowed grant types. For authorization code flow usually set to authorization_code for getting the code and refresh_token for refreshing tokens.

Visual Data

This data is shown to end-user during their login flow (optionally) and consent flow (strongly recommended).

Client name - human-readable client name, usually project or company name.

Logo - URL with client logo.

Legal Data

Client may store URLs to Privacy and/or Terms Of Service pages.

Information about client owner

This includes owner name in human-readable form and list of contacts.

PreviousAuthorization ServerNextOpenID Connect

Last updated