Understanding the need of client id, client secret

2019-07-12 03:36发布

问题:

I have a web site that requires user to log in by providing their email and password to gain access token, where the access token token is used to access api.

User can then gain access to read/write with the scope provided by the access token.

So, what I would like to understand here is that what roles does client id and client secret play in such a case, and what benefits can implement client id and client secret provide? Because i really do not see the need of implementing client id and client secret since user may just use access token to gain access right.

回答1:

You don't have to issue client IDs if you can achieve what you want to do without them. For example, if you have privileges to handle email (user ID) and password directly, you don't need a client ID.

In general, client IDs are needed only when you want to allow (third-party) client applications to access (your service's) users' data with restricted privileges. In this case, each client application must be given authorization by a user. As a result, your system will need client IDs to know which client application the user has granted permissions to.



回答2:

BY using client id/ secret you can potentially control which clients are allowed to connect to your API and make decisions such as rate limit them or block them. This is the way that e.g. Twitter can ensure that no other twitter client is allowed to have over 100,000 users.