Client Id vs Client Secret

Not applicable

Dear readers,

I know what is a Client ID and Client Secret. What i miss is how client secret can add security to client id. I.e. with respect to the case if i would only have the client id (api key). In the password owner or client credential flows i would store both secretly - so why wouldn't client id alone suffice? if one can steal client id can also likely steal client secret as well. I read that client id is considered public..mmhh is that really true? If so, in what sense client secret is considered private?

Pls help to fix our issues.

thanks lot.

0 3 24.6K
3 REPLIES 3

@antonio bruno ,

Client ID : Is used to identify the application. Let's say you are building an App that would like to access google maps APIs, You need to register the app with google & google will give you client id which is an id to identify the client in our case it's your app. Client ID is publicly available. For example, If you use 3 legged oAuth like signIn with Google, you can see client id in URL. So, You cannot use client id as a secret.

Client Secret : This is the true secret key, which is stored on server side securely & not available to public.

Remember, Client ID & Client Secret is common for many other grant types apart from "Resource owner credentials grant". Yes, In resource owner password credentials client id is not exposed anywhere to public but it is supposed to be a public key in overall OAuth context. As per oAuth standard you need both Client ID & Client Secret along with user credentials to generate an access token. It's the standard defined by OAuth.

A straight forward answer is, It's OAuth specification. You need to send them both & store the secret securely in backend server along with client Id.

Hope it helps.

Thanks Anil Sagar.

I think that the fact that the client id is in the URL does not mean it is public. To me it is yet not clear how client secret add security. Maybe a use case or example would help. In my understanding both client id and client secret should be private and both may not stored neither used 100% securely. I cannot imagine a case where one makes public the client id and keep secret the client secret (and how?). Infact also in Edge if you regenerate the client id Edge will regenerate both, right?

Is it okay to expose the Client Secret on Google OAuth2.0 Playground? It requires inputting Client Secret for refresh token - I understand google does not log this but is it secure?