Client

• The piece of software that gets a token from the authorization server and uses that token with a protected resource.

• Identified by a special string known as the client identifier AKA the value found in the client_id parameter.

• Responsibilities are largely centered on obtaining tokens from the authorization server and using tokens with the protected resource.

  • Client doesn't have to understand the token, nor should it ever need to inspect the token's contents.

• The Client and Authorization Server need to know a few things about each other before they can talk.

  • This includes the Authorization Server knowing the client_id.

  • In cases where the Authorization Code Flow is used, this includes the Authorization Server knowing the client_secret.

• OAuth defines two types of clients:

  • Public Clients - Unable to hold configuration secrets there having no client-secrets (this is found within the Implicit Flow)

  • Confidential Clients - Able to hold configuration time secrets (such as the Authorization Code Flow.