locked
How to identify unique client using oauth with clientid and clientsecret? RRS feed

  • Question

  • Hi,

    I am building a WebApi that will be used by for integration by others and I want to use OAuth for authentication and authorization.
    As this WebApi will be called by a service or application at the customer, there is no real user associated to the call.
    (and therefor I did not want to force the customer to provide me with a email or similar, as this is not a user account.)
    So I decided to use ClientId and ClientSecret and my thought was to generate a ClientSecret for each customer (each "user" of the api).
    Here I think I made a mistake.. as I realize that there seem to be no unique Id per generated ClientSecret.
    There is only the ClientSecret and a Description.

    Okay, maybe I can use the ClientSecret as Id, I tried to see if I could find the ClientSecret in the token, but I could not find it.
    (was not really expecting to find it, as I think that would probably violate the security)
    And the ClientId used (as you know) is actually the ApplicationId => the Id of my application (WebApi App) in Azure AD .

    So going back to the ClientId and ClientSecret authentication model.
    Is really a way to know who (unique caller) is authenticated using Oauth ClientId and ClientSecret?

    What is the best practice in these case? I bet, I am not the only one having webapis exposed to non-specific users.

    Ideas and suggestions appreciated

    Regards
    -Anders


    • Edited by carlberg Monday, September 10, 2018 9:04 AM
    Monday, September 10, 2018 12:43 AM

Answers

  • Client Secret cannot be used as Id and cannot be seen or retrieved in the token.

    Is really a way to know who (unique caller) is authenticated using Oauth ClientId and ClientSecret?
    If you use client credential flow and request an access token, you will see the claim type "oid" that contains the app id to identify an object in queries to Azure AD.

    If you use username and password on behalf flow and request an access token, you will see the claim type "oid" contains an object id of an user to identify an object in queries to Azure AD.

    -----------------------------------------------------------------------------------------------------------------------------------
    If this answer was helpful, click “Mark as Answer” and Up-Vote. To provide additional feedback on your forum experience, click here 

    Monday, September 10, 2018 10:40 AM

All replies

  • Client Secret cannot be used as Id and cannot be seen or retrieved in the token.

    Is really a way to know who (unique caller) is authenticated using Oauth ClientId and ClientSecret?
    If you use client credential flow and request an access token, you will see the claim type "oid" that contains the app id to identify an object in queries to Azure AD.

    If you use username and password on behalf flow and request an access token, you will see the claim type "oid" contains an object id of an user to identify an object in queries to Azure AD.

    -----------------------------------------------------------------------------------------------------------------------------------
    If this answer was helpful, click “Mark as Answer” and Up-Vote. To provide additional feedback on your forum experience, click here 

    Monday, September 10, 2018 10:40 AM
  • See the doc for basic of authentication https://developer.github.com/v3/guides/basics-of-authentication/ 

    Client Id and Secret https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/ 

    • Proposed as answer by samyyysam Monday, September 10, 2018 8:19 PM
    Monday, September 10, 2018 8:19 PM
  • @Anders, Have you had a chance to see the previous? If the suggestions were helpful, click “Mark as Answer” and Up-Vote. Feel free to reach out to us if you've additional questions in this regard.
    Wednesday, September 12, 2018 6:53 AM