Public Client

[z-vr]

Hi, do I understand correctly that I cannot use authorisation code as grant type without using client credentials? What I was trying to do, is to send a user to a webpage from my standalone app ( plugin actually ), then redirect him back with authorisation code, then use this auth code to receive access_token + refresh_token, and use the latter two to access my API. But I noticed that I need to send client_id and client_secret which is inappropriate for an app because it can be hacked? One solution would be to use implicit authorisation, but then I can't use refresh tokens and have to set access_token lifetime to quite long period of time. On the other hand, I can create a unique client id for each user and pass client id + secret during the redirect. This way, each user has its own client and people can't hack my own admin client so to speak. Which way do you think is better and why? Many thanks. Sorry if it's not an appropriate place to ask such a question.

[bshaffer]

This is the perfect place to ask! Although, I may not quite understand the problem. I think users of your plugin should create and configure their own client credentials when they install the plugin. Does that make sense?

On Thursday, October 30, 2014, Anton notifications@github.com wrote:

Hi, do I understand correctly that I cannot use authorisation code as grant type without using client credentials? What I was trying to do, is to send a user to a webpage from my standalone app ( plugin actually ), then redirect him back with authorisation code, then use this auth code to receive access_token + refresh_token, and use the latter two to access my API. But I noticed that I need to send client_id and client_secret which is inappropriate for an app because it can be hacked? One solution would be to use implicit authorisation, but then I can't use refresh tokens and have to set access_token lifetime to quite long period of time. On the other hand, I can create a unique client id for each user and pass client id + secret during the redirect. This way, each user has its own client and people can't hack my own admin client so to speak. Which way do you think is better and why? Many thanks. Sorry if it's not an appropriate place to ask such a question.

— Reply to this email directly or view it on GitHub https://github.com/bshaffer/oauth2-server-php-docs/issues/48.

Sincerely, Brent Shaffer @bshaffer http://twitter.com/bshaffer

[z-vr]

Yeah but I thought that there's just one client -- which is my plugin and all users share its id and secret (if auth is not implicit in which case they don't even acquire the client_id and secret), and users are identified by including their id in the handleAuthorizeRequest($req,$resp,$is_authorised,$user_id). So does there have to be a client for each new user?