client_ id
Registry Context
`client_id` identifies a client registration at an authorization server. It is required in authorization code authorization requests and must be sent by an unauthenticated client when exchanging an authorization code.
Technical Summary
RFC 6749 defines the client identifier as a non-secret string issued by the authorization server and unique to that server. It cannot be used alone for client authentication. Clients may use the `client_id` request parameter to identify themselves at the token endpoint.
When Used
Authorization code authorization requests, unauthenticated authorization code token requests, and optional client identification at the token endpoint.
Normative Requirements
Clients
RFC 6749 - Section 3.2.1
Send its `client_id`..
Condition: When the client is unauthenticated and sends an authorization code grant request to the token endpoint.
An unauthenticated client MUST send its "client_id".
RFC 6749 - Section 4.1.1
Include `client_id` in the authorization request..
Condition: When constructing an authorization code authorization request.
client_id REQUIRED
RFC 6749 - Section 4.1.3
Include `client_id` in the token request..
Condition: If the client is not authenticating with the authorization server.
client_id REQUIRED, if the client is not authenticating
RFC 6749 - Section 3.2.1
Use the `client_id` request parameter to identify itself when sending requests to the token endpoint..
A client MAY use the "client_id" request parameter to identify itself.
Authorization servers
RFC 6749 - Section 4.1.3
Ensure the authorization code was issued to the authenticated confidential client or, for a public client, to the `client_id` in the request..
Condition: When processing an authorization code token request.
The authorization server MUST ensure that the authorization code was issued to the applicable client.
RFC 6749 - Section 2.2
Document the size of any client identifier it issues..
The authorization server SHOULD document the size of any identifier it issues.
Unspecified actor
RFC 6749 - Section 2.2
Use the client identifier alone for client authentication..
The client identifier MUST NOT be used alone for client authentication.
Validation Guidance
Reject authorization code authorization requests that omit `client_id`.
Reject authorization code token requests that omit `client_id` when the client is not authenticated.
Verify that the authorization code was issued to the authenticated confidential client or, for a public client, to the `client_id` in the request.
Do not treat `client_id` as a standalone authentication credential or secret.
Document the supported size of issued client identifiers.
Security Notes
RFC 6749 - Section 2.2
The client identifier is not a secret and is exposed to the resource owner.
RFC 6749 - Section 3.2.1
Sending `client_id` in an unauthenticated authorization code token request helps prevent a client from accepting a code intended for another client, but provides no additional security for the protected resource.
Reference
Details
- Entry Id
client_id - Name
client_id - Parameter Usage Location
authorization request, token request- Change Controller
IETF- Reference
RFC6749