OAuth Client Authentication

Each OAuth API endpoint requires the requesting client to authenticate itself:

• A confidential app must present both its client ID and secret in the Authorization header via HTTP Basic authentication (preferred) or using the client_id and client_secret query string parameters.
• A public app (which is not issued a client secret) must present the client ID using the client_id query string parameter.

Example

An example authorization request for a confidential app using Basic authentication looks like this:

GET /oauth/authorize
  ?response_type=code
  &redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Foauth
  &scope=openid%20email%20profile
  &state=b3383ec07c5372aa9d22
  HTTP/1.1
Host: warhorn.net
Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3

The same request for a public app would look like:

GET /oauth/authorize
  ?response_type=code
  &client_id=Lw897vn3R7y6M2NfsA2BxJGM
  &redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Foauth
  &scope=openid%20email%20profile
  &state=b3383ec07c5372aa9d22
  HTTP/1.1
Host: warhorn.net

Reference

MDN’s HTTP Authentication describes Basic authentication succinctly.

RFC 7617 is the formal definition for the Basic authentication scheme.