I
I
iFortunes2019-02-06 13:10:11
OAuth
iFortunes, 2019-02-06 13:10:11

How to correctly implement authentication in OAuth without disclosing the user id?

Good day, point me in the right direction please.
When authenticating in Laravel OAuth, you need to pass

{
  "grant_type":"password",
  "client_id":"1",
  "client_secret":"secret",
  "username":"username",
  "password":"111111"
}

Isn't it dangerous for the server to tell the client_id and client_secret to the client?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
D
Dmitry Kuznetsov, 2019-02-06
@dima9595

client_id and client_secret, as I recall, are the data of the key itself for your application. In your case, the user ID is not passed in any way.
In this way, you in theory do not transfer this data to the user. This data array must be embedded in the program, and the user only has to enter the login and password from his account.

A
Alex Wells, 2019-02-06
@Alex_Wells

Yes, sending client_secret to the client is complete nonsense. But no one asks you about it, actually. I didn't work with passport, but after re-reading the entire doc, I still couldn't find the place where the client_secret (not _id) would be passed to the client. The only thing I saw there was requests to my own server with this parameter, and in all other places where the user is redirected, I see only client_id.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question