Client
The piece of software that gets a token from the authorization server and uses that token with a protected resource.
Identified by a special string known as the client identifier AKA the value found in the
client_id
parameter.Responsibilities are largely centered on obtaining tokens from the authorization server and using tokens with the protected resource.
Client doesn't have to understand the token, nor should it ever need to inspect the token's contents.
The Client and Authorization Server need to know a few things about each other before they can talk.
This includes the Authorization Server knowing the
client_id
.In cases where the
Authorization Code Flow
is used, this includes the Authorization Server knowing theclient_secret
.
OAuth defines two types of clients:
Public Clients - Unable to hold configuration secrets there having no client-secrets (this is found within the
Implicit Flow)
Confidential Clients - Able to hold configuration time secrets (such as the
Authorization Code Flow
.
Last updated