Authorization Basics

3 mins read

Client Authentication Overview

Client authentication is a process allowing an authorization server identify a client and either grant them a token (which can be used to access the resource server), or prevent from getting a token.

Who Authenticates What in OAuth

There are two participants inside the client authentication flow:

  • Client is an application that requests access to protected resources from a resource server. It may be a third-party application, but it also can be an application being a part of the organization that owns the resources. In this case, this is an application that tries to authenticate.

  • Authorization server is a server that authenticates the client trying to get access to the protected resources and issues access tokens.

Get Free Authorization Service

Cloudentity comes with multi-tenant authorization server as a service.

Create Account
Learn More

When Client Authentication Takes Place

Below, you can find a diagram that illustrates when the client authentication process takes place, how does it work, what happens before, and what happens next after the client is authenticated.

To know more about OAuth flows, see the OAuth Grant Types documentation.

[mermaid-begin]
sequenceDiagram autoNumber participant User participant Client application participant Authorization server participant Resource server (API) activate User User->>Client application: Access activate Client application activate Authorization server Client application->>Authorization server: Request authorization deactivate Client application Authorization server->>User: Display consent User->>Authorization server: Give consent deactivate User Authorization server->>Client application: Issue authorization code activate Client application critical Authenticate Client Application Client application->>Authorization server: request /token with authorization code + client_id + client_secret + grant_type Note over Authorization server, Client application: Client is authenticated using the client_secret_post method Authorization server->>Authorization server: Validate the request Authorization server->>Authorization server: Mint Token Authorization server->>Client application: Return token end deactivate Authorization server Client application->>Resource server (API): Call API with token activate Resource server (API) Resource server (API)->>Client application: Return data deactivate Resource server (API) deactivate Client application

How Authorization Server Authenticates Client Apps

  1. An OAuth client application sends a request to the authorization server’s token endpoint.

    The example below provides a request example for client authentication using the client_secret_basic method and authorization_code OAuth grant flow.

    POST {tid}{aid/oauth2/token} HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Content-Type: application/json
Authorization: Basic dl9aUnVyOWdtQ3gxTTlobGU5N2ZWQUd5amdCcUsya2hWdVlMZmZOLWVOZw==
{
  "grant_type" : "authorization_code"
  "code" : "xxxxxxxxxxx"
}

  2. The authorization server validates the request.

    • It checks for all required parameters depending on the client authentication method chosen and grant type chosen.

  3. The authorization server generates the requested tokens (access/refresh/ID) and provides them to the client.

    Response Example

    HTTP/1.1 200 OK
 Content-Type: application/json;charset=UTF-8
 Cache-Control: no-store
 Pragma: no-cache

{
   "access_token":"2YotnFZFEjr1zCsicMWpAA",
   "token_type":"example",
   "expires_in":3600,
   "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
   "scope":"openid profile"
}

    Result

    The client is authenticated. The application is now able to request data from the resource server (your API).

Client Authentication Methods

Depending on the authorization server configuration, client applications can use one of the following authentication methods:

Updated: Sep 8, 2023