Client Registration


Before an application can participate in OAuth grant type flows, it must be registered with the OAuth Authorization Server as an OAuth Client. During this registration, the application will be allocated a client identifier or client_id and (optionally) a client_secret. These are used when calling OAuth endpoints.

Confidential and Public clients

A confidential OAuth client is provided with both a client_id and a client_secret. This means it can authenticate itself to the OAuth Authorization Server when making token requests. An application registered as a confidential OAuth client must be able to keep the client_secret safe. This usually means that the application is running on server-side infrastructure.

A public OAuth client is provided with only a client_id. An application is usually registered as a public OAuth client which does not have access to secure storage. This is usually the case when the application is running on client-side infrastructure such as on a mobile device or as a "Single Page Application" in a browser.

Some OAuth capabilities are not available to public OAuth clients. These are operations which rely on a secure authentication of the client to maintain the security of the system.


Jon Harry, IBM Security