Identification, Authentication and Authorization

Application (client)

Types

Type is related to the ability to maintain the confidentiality of client credentials.

  • Even from the resource owner.

Confidential.

  • Capable.

    • e.g. a secure server

Public.

  • Incapable.

    • e.g. a web browser-based application, or a mobile App.

Different application types will be allowed to execute different flows.

Profiles

Web application

Confidential client running on a web server.

User-agent based application

Public client where the client code runs on a user-agent application.

Native application

The public client is installed and executed on the device used by the resource owner.

Registration (in an OAuth server)

Clients accessing OAuth servers must be previously registered.

  • Nevertheless, the standard does not exclude unregistered clients.

  • A registered client is given a unique identifier, a ClientID.

Registration includes both informational, legal and operational information.

  • Redirection URLs

  • Acceptance of legal terms

  • Application (client) name, logo, website, description

  • Client type

  • Client authentication method (for confidential clients)

PreviousCommunication endpointsNextOAuth tokens

Last updated