I aware that client_id and client_secret are assigned to client by the auth server.
client_id can be exposed while client_secret must be kept as a secret.
I just don't understand, why, in this case, would we need a client_id.
Isn't just the client_secret enough to identify the client app?
You can think about client_id and client_secret in a similar way to username and password.
In the same way you identify a user with a username, you can identify a client/application with client_id, client_id can be public, but the secret needs to be kept private.
The authentication server can have multiple clients registered, therefore it needs to be able to identify a tuple of id and secret to start the flow.
Related
I cannot understand what is the difference between API key, API key secret, Bearer Token, Access Token Access Secret. There is also Client ID and Client Secret which is something very confusing.
I wish to create a Twitter bot, but I find this very confusing. I have tried googling my question, and searching it up on youtube, but I have not found an answer that clears my question.
Admittedly the terms are a bit confusing;but these terms have the same meaning:
Consumer key = Customer key = Api key
Consumer secret = Customer secret = Api secret key
In general, tokens above and Bearer token represent the user that you are making the request on behalf of.
Access token and Access secret - they are Username and Password for your App.
And their usage:
Consumer key, Consumer secret, Access token, Access Secret (or only Access token and Access Secret depending on language and libraries you are using) - these are needed if your software make request to endpoints with POST method, that is if it tweets, replies to a tweet and etc.
If the software make request to endpoints with GET method then authenticating with Bearer Token is enough. Another use of Bearer Token is with Twitter API v2, which only accepts Bearer Token authentication if try to make requests to endpoints of this api.
For more detailed information Getting Access to Twitter API
If you want to simply read tweets, then Bearer Token is enough.
If you want to create tweets then you will need to use:
API Key
API Key Secret
Access Token
Access Token Secret
The client Id and client secret are not require.
There's a full articl here:
https://pythonhowtoprogram.com/how-to-build-a-twitter-bot-with-python-and-twitter-api-v2/
According to RFC6749 Chapter 4.1.1: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
In the specification of Authorization Request for Authorization Code grant,
Only client_id is required for Authentication. Since client type could be public, then that means anyone can get the Authorization Code, and then use it in Access Token Request - https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3. Here you only need to supply client_id (Which is public), Authorization Code (Which can obtain with NO authentication), redirect_uri and grant_type (Not for authentication/authorization purpose), and then you will be able to obtain an access token!
My question is, why there is NO any mandatory authorization/authentication procedure for this type of grant, then what is the purpose of having this type of grant? Same thing in Implicit grant.
The client authentication is not mandatory only for the clients that are registered as public client like Mobile Native Application. The Mobile Application can not hold client secret securely, hence it is not mandatory in authorization code grant and implicit grant. The client application like web application which can hold client secret securely in the server, such clients should be registered as confidential client. The clients that are registered as confidential client should present both client id and secret for client authentication.
OAuth2 server issues an authorization code after user authentication and after user approving consent with delegating rights to the client (identified by client_id). The auth code is then sent as a parameter to a client's registered redirect URI. So I don't know what you mean by "anyone can get the Authorization Code".
Public clients should be used with PKCE OAuth2 extension. Which serves as a one-time password. So even if an auth code get stolen, it cannot be exchanged for tokens without knowing the code_verifier parameter of the token endpoint.
If an attacker creates a malicious application using someone else's client_id (pretending to be the client), the auth code will still be sent to the client's redirect URL. If the attacker gets hold of this URL handler, then it's probably a problem beyond the scope of the OAuth2 protocol.
I'm trying to understand what each string in the Oauth 1 scheme does.
As per my understanding, the consumer key and consumer secret are used to sign a request to the api, from the calling application, and the access_token and access_secret pair are used as a proxy for the user's login credentials.
Am I right in my understanding?
Not quite. The consumer key is a value that identifies the client application that is being used to access the user resources, and the access token is the value that provides the authorization to access those resources.
A combination of the consumer secret and token secret are used to sign the request which provides verification that the request is being sent by an authorized party.
You can read more about the definitions of the oauth 1.0a spec here.
My understanding of the 'key' (or 'token') in OAUTH system is like a 'username' to identify the sender which is not confidential but 'secret' is actually like a 'password'.
But reading through the OAUTH 1.0 spec on http://oauth.net/core/1.0/#signing_process, it seems to me when consumer asks service provider for a token (either request token or access token) , the token and token secret are returned in PLAIN (just base-64 encoded) text as HTTP response.
And after searching web it looks in lots of not all case, the "request token URL" is HTTP not HTTPS which means a 3rd party may intercept the token and token secret.
So am I wrong thus far? I know even a 3rd party intercepted the token secret it's still useless as any request by consumer (or any party claim as the consumer) must be signatured with consumer key (plus token secrect) which the 3rd party usually don't know, but then why we need the token secret then?
Although it is permitted to use http, it is recommended (see appendix B.1) to use secure transport (https), otherwise your concerns are quite valid. I know for sure Google allows https:// on all their OAuth transactions, at least as far as getting the token and secret, and for all the API data requests that I've tried so far.
Why does OAuth include both an access token and an access token secret as two separate values? As a consumer or OAuth, all of the recommendations that I have seen indicate that I should store the token and secret together and essentially treat them as one value.
So why does the specification require two values in the first place?
Actually, the access token secret is never transmitted to the provider. Instead, requests transmit the access token, and then use the secret to sign the request. That is why you need both: one to identify, and one to secure
There are 2 secrets, one is token secret and other is consumer secret. Secrets are used to sign the requests (to generate the oauth signature) but not transmitted in the request header where token is sent in the header to identify the client and verify if it has access.