Client Id and Secret

Hi

This may sound a bit naïve question - but I am too confused at the moment with authentication architecture - hence asking.

I have setup an application in Auth0. It has a client id and secret. The application uses google-oauth2 social connection. There I specify another client id and secret (generated from google dev console).

My question is: why do we have two client id/secret - what is the difference between the two?

Thanks.

Hi @amitudedhia,

To explain why there are two sets of credentials, I think it is helpful to know about OAuth2 roles.

Auth0 follows OAuth 2.0 as an authorization framework. In this protocol, there are a few different roles:

  • Resource Owner: Entity that can grant access to a protected resource. Typically, this is the end-user.
  • Resource Server: Server hosting the protected resources. This is the API you want to access.
  • Client: Application requesting access to a protected resource on behalf of the Resource Owner.
  • Authorization Server: Server that authenticates the Resource Owner and issues access tokens after getting proper authorization. In this case, Auth0.

For your application, Auth0 acts as the Authorization Server which handles authentication between your users (the Resource Owners) and your application (the Client). To do that, Auth0 must communicate with Google (the Resource Server) to 1) make sure that the user is logged in and 2) get profile information about the user such as their name and email address.

To summarize, when authentication occurs, your app needs to talk to Auth0, and Auth0 needs to talk to Google.

This means that your app needs a Client ID/Client Secret for Auth0 (the credentials found in the application settings in your dashboard), and your Auth0 tenant needs a Client ID/Client Secret from Google (the credentials found in the Google Social Connection configurations).

Another difference between the two sets of credentials is who issues them. Auth0 issues the Client ID/Client Secret to your application. Google issues the Client ID/Client Secret to your Auth0 tenant.

Here is some more information about OAuth 2.0: https://auth0.com/docs/protocols/protocol-oauth2.

I hope that helps! Let me know if you have any more questions.

Stephanie

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.